Candidate: CVE-2017-6922
PublicDate: 2019-01-22 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6922
 https://www.drupal.org/SA-CORE-2017-003
 http://cgit.drupalcode.org/drupal/diff/?h=7.x&id=600c1346ed976e6f35fc2b0f907a7837f0f7c145&id2=9eebe462d1e93e785e6c028dc6cf689623c4d936
Description:
 In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56;
 Private files that have been uploaded by an anonymous user but not
 permanently attached to content on the site should only be visible to the
 anonymous user that uploaded them, rather than all anonymous users. Drupal
 core did not previously provide this protection, allowing an access bypass
 vulnerability to occur. This issue is mitigated by the fact that in order
 to be affected, the site must allow anonymous users to upload files into a
 private file system.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865498
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]

Patches_drupal7:
 upstream: http://cgit.drupalcode.org/drupal/diff/?h=7.x&id=600c1346ed976e6f35fc2b0f907a7837f0f7c145&id2=9eebe462d1e93e785e6c028dc6cf689623c4d936
upstream_drupal7: released (7.56-1)
precise/esm_drupal7: DNE
trusty_drupal7: ignored (reached end-of-life)
trusty/esm_drupal7: DNE (trusty was needed)
vivid/ubuntu-core_drupal7: DNE
xenial_drupal7: ignored (end of standard support, was needed)
yakkety_drupal7: ignored (reached end-of-life)
zesty_drupal7: released (7.52-2+deb9u1build0.17.04.1)
artful_drupal7: not-affected (7.56-1)
bionic_drupal7: DNE
cosmic_drupal7: DNE
disco_drupal7: DNE
eoan_drupal7: DNE
focal_drupal7: DNE
groovy_drupal7: DNE
hirsute_drupal7: DNE
impish_drupal7: DNE
jammy_drupal7: DNE
devel_drupal7: DNE