The file download facility doesn’t sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.
Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
This advisory is covered by Drupal Steward.
We would normally not apply for a release of this severity. However, in this case we have chosen to apply Drupal Steward security coverage to test our processes.
Drupal 7
All Drupal 7 sites on Windows web servers are vulnerable.
Drupal 7 sites on Linux web servers are vulnerable with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.
Drupal 9 and 10
Drupal 9 and 10 sites are only vulnerable if certain contributed or custom file access modules are installed.
Install the latest version:
If you are using Drupal 10.0, update to Drupal 10.0.8.
If you are using Drupal 9.5, update to Drupal 9.5.8.
If you are using Drupal 9.4, update to Drupal 9.4.14.
If you are using Drupal 7, update to Drupal 7.96.
All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Heine of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
David Rothstein of the Drupal Security Team
xjm of the Drupal Security Team
Wim Leers
Damien McKenna of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Conrad Lara
Peter Wolanin of the Drupal Security Team
Drew Webber of the Drupal Security Team
Benji Fisher of the Drupal Security Team
Juraj Nemec, provisional member of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Dave Long of the Drupal Security Team
Kim Pepper
Alex Pott of the Drupal Security Team
Neil Drumm of the Drupal Security Team
More Stories
ZDI-CAN-25373: Microsoft
A CVSS score 7.0 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Peter Girnus - Trend Micro Zero Day Initiative' was reported to...
DSA-5774-1 ruby-saml – security update
It was discovered that ruby-saml, a SAML library implementing the client side of a SAML authorization, does not properly verify...
USN-6968-2: PostgreSQL vulnerability
USN-6968-1 fixed CVE-2024-7348 in PostgreSQL-12, PostgreSQL-14, and PostgreSQL-16 This update provides the corresponding updates for PostgreSQL-9.5 in Ubuntu 16.04 LTS....
USN-7015-2: Python vulnerabilities
USN-7015-1 fixed several vulnerabilities in Python. This update provides one of the corresponding updates for python2.7 for Ubuntu 16.04 LTS,...
USN-7027-1: Emacs vulnerabilities
It was discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands....
USN-7024-1: tgt vulnerability
It was discovered that tgt attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1,...