Access bypass in Drupal core
Critical severity
GitHub Reviewed
Published
Apr 26, 2023
to the GitHub Advisory Database
•
Updated Nov 12, 2023
Package
Affected versions
>= 10.0.0, < 10.0.8
>= 9.5.0, < 9.5.8
>= 9.0.0, < 9.4.14
>= 7.0.0, < 7.96
Patched versions
10.0.8
9.5.8
9.4.14
7.96
Description
Published by the National Vulnerability Database
Apr 26, 2023
Published to the GitHub Advisory Database
Apr 26, 2023
Reviewed
Apr 27, 2023
Last updated
Nov 12, 2023
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
References