CVE-2012-1591

The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://drupal.org/node/1557938	Vendor Advisory
http://drupal.org/node/1507988
http://drupalcode.org/project/drupal.git/commit/3bf6761ff7537dc68e22ea73f155134f3cfd41a8
http://drupal.org/drupal-7.14	Patch
http://www.securityfocus.com/bid/53359
http://secunia.com/advisories/49012
http://www.mandriva.com/security/advisories?name=MDVSA-2013:074

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:drupal:drupal:7.0:alpha3::::::
	cpe:2.3:a:drupal:drupal:7.0:dev::::::
	cpe:2.3:a:drupal:drupal:7.0:rc4::::::
	cpe:2.3:a:drupal:drupal:7.0:alpha5::::::
	cpe:2.3:a:drupal:drupal:7.1:::::::*
	cpe:2.3:a:drupal:drupal:7.3:::::::*
	cpe:2.3:a:drupal:drupal:7.8:::::::*
	cpe:2.3:a:drupal:drupal:7.11:::::::*
	cpe:2.3:a:drupal:drupal:7.0:rc2::::::
	cpe:2.3:a:drupal:drupal:7.0:alpha7::::::
	cpe:2.3:a:drupal:drupal:7.0:beta3::::::
	cpe:2.3:a:drupal:drupal:7.0:beta2::::::
	cpe:2.3:a:drupal:drupal:7.0:rc3::::::
	cpe:2.3:a:drupal:drupal:7.0:alpha1::::::
	cpe:2.3:a:drupal:drupal:7.0:alpha4::::::
	cpe:2.3:a:drupal:drupal:7.13:::::::*
	cpe:2.3:a:drupal:drupal:7.5:::::::*
	cpe:2.3:a:drupal:drupal:7.10:::::::*
	cpe:2.3:a:drupal:drupal:7.6:::::::*
	cpe:2.3:a:drupal:drupal:7.12:::::::*
	cpe:2.3:a:drupal:drupal:7.9:::::::*
	cpe:2.3:a:drupal:drupal:7.0:rc1::::::
	cpe:2.3:a:drupal:drupal:7.4:::::::*
	cpe:2.3:a:drupal:drupal:7.x-dev:::::::*
	cpe:2.3:a:drupal:drupal:7.0:alpha2::::::
	cpe:2.3:a:drupal:drupal:7.0:alpha6::::::
	cpe:2.3:a:drupal:drupal:7.0:::::::*
	cpe:2.3:a:drupal:drupal:7.0:beta1::::::
	cpe:2.3:a:drupal:drupal:7.7:::::::*
	cpe:2.3:a:drupal:drupal:7.2:::::::*

Information

Published : 2012-09-30 17:55

Updated : 2013-12-12 20:58

NVD link : CVE-2012-1591

Mitre link : CVE-2012-1591

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

drupal

drupal

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://drupal.org/node/1557938", "name": "http://drupal.org/node/1557938", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://drupal.org/node/1507988", "name": "http://drupal.org/node/1507988", "tags": [], "refsource": "CONFIRM"}, {"url": "http://drupalcode.org/project/drupal.git/commit/3bf6761ff7537dc68e22ea73f155134f3cfd41a8", "name": "http://drupalcode.org/project/drupal.git/commit/3bf6761ff7537dc68e22ea73f155134f3cfd41a8", "tags": [], "refsource": "CONFIRM"}, {"url": "http://drupal.org/drupal-7.14", "name": "http://drupal.org/drupal-7.14", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/53359", "name": "53359", "tags": [], "refsource": "BID"}, {"url": "http://secunia.com/advisories/49012", "name": "49012", "tags": [], "refsource": "SECUNIA"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:074", "name": "MDVSA-2013:074", "tags": [], "refsource": "MANDRIVA"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2012-1591", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2012-10-01T00:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:alpha3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:dev:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:rc4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:alpha5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:alpha7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:beta3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:beta2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:rc3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:alpha1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:alpha4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.13:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.12:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.x-dev:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:alpha2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:alpha6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.0:beta1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:drupal:drupal:7.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2013-12-13T04:58Z"}

5.0 /10