CVE-2011-2726 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2011-2726?

CVE-2011-2726 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2011-2726?

Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal, Debian Debian Linux, Redhat Enterprise Linux, Fedoraproject Fedora.

Vulnerability Description

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Drupal	Drupal	>= 7.0, < 7.5
Debian	Debian Linux	8.0
Redhat	Enterprise Linux	5.0
Fedoraproject	Fedora	14

Related Weaknesses (CWE)

CWE-863

References

http://www.openwall.com/lists/oss-security/2012/03/19/10Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2012/03/20/14Mailing ListThird Party Advisory
https://access.redhat.com/security/cve/cve-2011-2726Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2726Issue TrackingThird Party Advisory
https://security-tracker.debian.org/tracker/CVE-2011-2726Third Party Advisory
https://www.drupal.org/node/1231510Vendor Advisory
http://www.openwall.com/lists/oss-security/2012/03/19/10Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2012/03/20/14Mailing ListThird Party Advisory
https://access.redhat.com/security/cve/cve-2011-2726Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2726Issue TrackingThird Party Advisory
https://security-tracker.debian.org/tracker/CVE-2011-2726Third Party Advisory
https://www.drupal.org/node/1231510Vendor Advisory

FAQ

What is CVE-2011-2726?

CVE-2011-2726 is a vulnerability with a CVSS score of 7.5 (HIGH). An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual...

How severe is CVE-2011-2726?

CVE-2011-2726 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-2726?

Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal, Debian Debian Linux, Redhat Enterprise Linux, Fedoraproject Fedora.