Vulnerability Description
The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vectors, as demonstrated by reading settings.php.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wimleers | Cdn | 6.x-2.2 |
| Drupal | Drupal | - |
Related Weaknesses (CWE)
References
- http://drupal.org/node/1441480
- http://drupal.org/node/1441482Patch
- http://drupalcode.org/project/cdn.git/commitdiff/cd2a5ffPatch
- http://drupalcode.org/project/cdn.git/commitdiff/eca85e6Patch
- http://secunia.com/advisories/48032Vendor Advisory
- http://www.openwall.com/lists/oss-security/2012/04/07/1
- http://www.osvdb.org/79317
- https://drupal.org/node/1441502PatchVendor Advisory
- http://drupal.org/node/1441480
- http://drupal.org/node/1441482Patch
- http://drupalcode.org/project/cdn.git/commitdiff/cd2a5ffPatch
- http://drupalcode.org/project/cdn.git/commitdiff/eca85e6Patch
- http://secunia.com/advisories/48032Vendor Advisory
- http://www.openwall.com/lists/oss-security/2012/04/07/1
- http://www.osvdb.org/79317
FAQ
What is CVE-2012-1645?
CVE-2012-1645 is a vulnerability with a CVSS score of 2.6 (LOW). The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vec...
How severe is CVE-2012-1645?
CVE-2012-1645 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-1645?
Check the references section above for vendor advisories and patch information. Affected products include: Wimleers Cdn, Drupal Drupal.