प्लेटफ़ॉर्म
drupal
घटक
image
में ठीक किया गया
9.3.19
9.4.3
CVE-2022-25275 Drupal Core में एक सूचना प्रकटीकरण भेद्यता है। इस भेद्यता के कारण, इमेज मॉड्यूल इमेज स्टाइल सिस्टम का उपयोग करके व्युत्पन्न इमेज बनाते समय मानक सार्वजनिक फ़ाइल निर्देशिका में संग्रहीत नहीं की गई इमेज फ़ाइलों तक पहुंच की सही तरीके से जांच नहीं करता है। यह भेद्यता Drupal 7.x और Drupal 9.x को प्रभावित करती है। यह समस्या Drupal 7.91 में ठीक की गई है।
CVE-2022-25275 in Drupal Core affects the Image module when generating derivative images using the image style system. The issue lies in the fact that, in certain circumstances, the module does not correctly check access permissions to image files that are not stored in the standard public files directory. Specifically, access checks for non-public files are only performed if they are stored in the 'private' file system. However, some contributed modules provide additional file systems or schemes, which can allow unauthorized access to these files. This could allow an attacker to access sensitive files that should not be publicly accessible, compromising the confidentiality of data stored on the Drupal site. The vulnerability's severity is rated as 7.5 on the CVSS scale, indicating a moderately high risk.
An attacker could exploit this vulnerability if the Drupal site uses contributed modules that implement custom file systems for image handling and if these file systems do not correctly verify access permissions. The attacker could create or modify an image that is processed through the image style system, causing the Image module to attempt to access a non-public file without proper authorization. The success of exploitation depends on the site's configuration and the presence of vulnerable contributed modules. The lack of adequate permission validation for file access is the key factor enabling exploitation.
एक्सप्लॉइट स्थिति
EPSS
0.38% (59% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2022-25275 is to update Drupal Core to version 7.91 or higher. This update corrects the permission checking flaw in the Image module. Additionally, it's important to review and update any contributed modules that utilize custom file systems or alternative schemes for image file handling. Ensure these modules correctly implement file access checks, regardless of where the files are stored. Finally, it is recommended to configure the Drupal site to use the 'private' file system for storing sensitive files whenever possible, to further reinforce security.
Actualice el módulo Image a la versión 9.4.3 o superior, o a la versión 7.91 o superior si está utilizando Drupal 7. Revise las notas de la versión de su versión de Drupal para obtener más información si tiene problemas para acceder a archivos o estilos de imagen después de actualizar.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
Drupal's image style system allows you to create different versions of an image (e.g., thumbnails, large images, images optimized for the web) from an original image. These versions are automatically generated when a specific image is needed.
The private file system in Drupal is a directory where files are stored that are not directly accessible through the website's URL. These files are protected and can only be accessed by Drupal code.
If you cannot update Drupal Core immediately, consider temporarily disabling the Image module or the image style system until you can apply the update. Also, review contributed modules that may be affecting file handling.
Review the list of contributed modules installed on your Drupal site and check if there are any updates available for them. Consult the version notes of the modules to see if security issues related to file handling have been addressed.
There are Drupal security scanners that can help detect this vulnerability. Consult Drupal documentation for a list of recommended tools.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी composer.lock फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।