it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
- Date: Wed, 16 Sep 2020 18:17:06 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2020-011
Project: Drupal core [1]
Date: 2020-September-16
Security risk: *Moderately critical* 12∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information disclosure
CVE IDs: CVE-2020-13670
Description:
A vulnerability exists in the File module which allows an attacker to gain
access to the file metadata of a permanent private file that they do not have
access to by guessing the ID of the file.
Solution:
Install the latest version:
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [3].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [4].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [5].
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
Reported By:
* David Rothstein [6] of the Drupal Security Team
* Ivan [7]
* elarlang [8]
* Mori Sugimoto [9] of the Drupal Security Team
* kyk [10]
Fixed By:
* Michael Hess [11] of the Drupal Security Team
* Peter Wolanin [12] of the Drupal Security Team
* Stefan Ruijsenaars [13]
* David Rothstein [14] of the Drupal Security Team
* Jess [15] of the Drupal Security Team
* Ben Dougherty [16] of the Drupal Security Team
* Frédéric G. Marand [17]
* Samuel Mortenson [18] of the Drupal Security Team
* Joseph Zhao [19], provisional member of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.10
[4] https://www.drupal.org/project/drupal/releases/8.9.6
[5] https://www.drupal.org/project/drupal/releases/9.0.6
[6] https://www.drupal.org/user/124982
[7] https://www.drupal.org/user/556138
[8] https://www.drupal.org/user/3583903
[9] https://www.drupal.org/user/82971
[10] https://www.drupal.org/user/29822
[11] https://www.drupal.org/user/102818
[12] https://www.drupal.org/user/49851
[13] https://www.drupal.org/user/551886
[14] https://www.drupal.org/user/124982
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/1852732
[17] https://www.drupal.org/user/27985
[18] https://www.drupal.org/user/2582268
[19] https://www.drupal.org/user/1987218
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011, security-news, 16.09.2020
Archiv bereitgestellt durch MHonArc 2.6.19.