Information Disclosure Affecting drupal/drupal package, versions >=8.0.0, <8.1.0 >=8.1.0, <8.2.0 >=8.2.0, <8.3.0 >=8.3.0, <8.4.0 >=8.4.0, <8.5.0 >=8.5.0, <8.6.0 >=8.6.0, <8.7.0 >=8.7.0, <8.8.0 >=8.8.0, <8.8.10 >=8.9.0, <8.9.6 >=9.0.0, <9.0.6
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
0.15% (52nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-DRUPALDRUPAL-1009857
- published 18 Sep 2020
- disclosed 18 Sep 2020
- credit Unknown
Introduced: 18 Sep 2020
CVE-2020-13670 Open this link in a new tabHow to fix?
Upgrade drupal/drupal
to version 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.8.10, 8.9.6, 9.0.6 or higher.
Overview
drupal/drupal is an open source content management platform powering millions of websites and applications.
Affected versions of this package are vulnerable to Information Disclosure. A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.