CVE-2020-13670 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=8.0.0 <8.8.10 || >=8.9.0 <8.9.6 || >=9.0.0 <9.0.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00322 pctl0.54678

Details

Exposure of Resource to Wrong Sphere in Drupal Core Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Metadata

Created: 2022-02-12T00:00:47Z
Modified: 2022-02-25T15:35:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-mmjr-5q74-p3m4/GHSA-mmjr-5q74-p3m4.json
CWE IDs: ["CWE-668"]
Alternative ID: GHSA-mmjr-5q74-p3m4
Finding: F017
Auto approve: 1