Detections
Analytics
Drupal 8.7.x < 8.7.11 Multiple Vulnerabilities
critical Web App Scanning Plugin ID 98782
Language:
Synopsis
Drupal 8.7.x < 8.7.11 Multiple VulnerabilitiesDescription
According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities :- The Drupal project uses the third-party library Archive_Tar, which has released a security update that impacts some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities. (SA-CORE-2019-012)
- The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations. (SA-CORE-2019-011)
- Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file. After this fix, file_save_upload() now trims leading and trailing dots from filenames. (SA-CORE-2019-010)
- A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt. (SA-CORE-2019-009)
Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update to Drupal version 8.7.11 or latest.See Also
https://www.drupal.org/project/drupal/releases/8.7.11
https://www.drupal.org/sa-core-2019-009
https://www.drupal.org/sa-core-2019-010
Plugin Details
Severity: Critical
ID: 98782
Type: remote
Family: Component Vulnerability
Published: 1/8/2020
Updated: 3/14/2023
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: Tenable
Vulnerability Information
CPE: cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Exploit Ease: No known exploits are available
Patch Publication Date: 12/18/2019
Vulnerability Publication Date: 12/18/2019
Reference Information
CWE: 284
OWASP: 2010-A8, 2013-A7, 2013-A9, 2017-A5, 2017-A9, 2021-A1, 2021-A6
WASC: Insufficient Authorization
CAPEC: 19, 441, 478, 479, 502, 503, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 578
DISA STIG: APSC-DV-000460, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-1.4.2, 4.0.2-14.2.1