April 25, 2023

Drupal Patches Critical Access Bypass Vulnerability

Drupal Core releases security advisory to address vulnerability affecting multiple Drupal versions. In some circumstances, the file download facility doesn’t sufficiently sanitize file paths. Users might gain access to private files that they should not have access to.

The Vulnerability

• SA-CORE-2023-005 – Bypass Vulnerability. Successful exploit of this vulnerability may allow an unauthorized threat actor to take over a vulnerable system.

Affected Products

• Drupal 7, 9 and 10.

Mitigation

CYREBRO recommends updating relevant products to the latest available releases in accordance with Drupal Advisory.

Note

Following this security release, some websites might need their settings changed. If
you experience difficulties accessing private files after updating, check the release notes for your Drupal version.

References: Drupal Advisory