Candidate: CVE-2011-2726
PublicDate: 2019-11-15 17:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2726
 http://www.openwall.com/lists/oss-security/2011/11/20/3
Description:
 An access bypass issue was found in Drupal 7.x before version 7.5. If a
 Drupal site has the ability to attach File upload fields to any entity type
 in the system or has the ability to point individual File upload fields to
 the private file directory in comments, and the parent node is denied
 access, non-privileged users can still download the file attached to the
 comment if they know or guess its direct URL.

 If a Drupal site is using these features on comments, and the parent node is
 denied access (either by a node access module or by being unpublished), the
 file attached to the comment can still be downloaded by non-privileged users if
 they know or guess its direct URL.

 This issue affects Drupal 7.x only.
Ubuntu-Description: 
Notes: 
 tyhicks> 7.x, before 7.5, affected
Bugs: 
Priority: low
Discovered-by:
Assigned-to: 
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]

Patches_drupal7:
upstream_drupal7: not-affected (7.9-1)
hardy_drupal7: DNE
lucid_drupal7: DNE
maverick_drupal7: DNE
natty_drupal7: DNE
oneiric_drupal7: DNE
devel_drupal7: not-affected (7.9-1)