[IT-SecNots] [Security-news] Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-core-2025-008

Project: Drupal core [1]
Date: 2025-November-12
Security risk: *Moderately critical* 10 ∕ 25
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Information disclosure

Affected versions: >= 8.0.0 < 10.4.9 || >= 10.5.0 < 10.5.6 || >= 11.0.0 <
11.1.9 || >= 11.2.0 < 11.2.8
CVE IDs: CVE-2025-13083
Description: 
The core system module handles downloads of private and temporary files.
Contrib modules can define additional kinds of files (schemes) that may also
be handled by the system module.

In some cases, files may be served with the HTTP header Cache-Control: public
when they should be uncacheable. This can lead to some users getting cached
versions of files with information they should not be able to access. For
example, files may be cached by Varnish or a CDN.

This vulnerability is mitigated by the following:

 1) Drupal must be configured to handle non-public files using a custom or
    contributed module providing an additional file scheme.
 2) An attacker must know to request a file that has previously been
    requested by a more-privileged user, and that file must still be cached.

Solution: 
Install the latest version:

 * If you are using Drupal 10.4, update to Drupal 10.4.9 [3].
 * If you are using Drupal 10.5, update to Drupal 10.5.6 [4].
 * If you are using Drupal 11.1, update to Drupal 11.1.9 [5].
 * If you are using Drupal 11.2, update to Drupal 11.2.8 [6].

Drupal 11.0.x, Drupal 10.3.x, and below are end-of-life and do not receive
security coverage. (Drupal 8 [7] and Drupal 9 [8] have both reached
end-of-life.)

Reported By: 
 * Damien McKenna (damienmckenna) [9] of the Drupal Security Team
 * tame4tex [10]

Fixed By: 
 * Benji Fisher (benjifisher) [11] of the Drupal Security Team
 * catch (catch) [12] of the Drupal Security Team
 * Neil Drumm (drumm) [13] of the Drupal Security Team
 * Lee Rowlands (larowlan) [14] of the Drupal Security Team
 * Mingsong  (mingsong) [15], provisional member of the Drupal Security Team
 * Mohit Aghera (mohit_aghera) [16]
 * James Gilliland (neclimdul) [17] of the Drupal Security Team
 * Juraj Nemec (poker10) [18] of the Drupal Security Team
 * Jess  (xjm) [19] of the Drupal Security Team

Coordinated By: 
 * catch (catch) [20] of the Drupal Security Team
 * Lee Rowlands (larowlan) [21] of the Drupal Security Team
 * Dave Long (longwave) [22] of the Drupal Security Team
 * Drew Webber (mcdruid) [23] of the Drupal Security Team
 * Juraj Nemec (poker10) [24] of the Drupal Security Team

------------------------------------------------------------------------------
Contribution record [25]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.4.9
[4] https://www.drupal.org/project/drupal/releases/10.5.6
[5] https://www.drupal.org/project/drupal/releases/11.1.9
[6] https://www.drupal.org/project/drupal/releases/11.2.8
[7] https://www.drupal.org/psa-2021-06-29
[8] https://www.drupal.org/psa-2023-11-01
[9] https://www.drupal.org/u/damienmckenna
[10] https://www.drupal.org/u/tame4tex
[11] https://www.drupal.org/u/benjifisher
[12] https://www.drupal.org/u/catch
[13] https://www.drupal.org/u/drumm
[14] https://www.drupal.org/u/larowlan
[15] https://www.drupal.org/u/mingsong
[16] https://www.drupal.org/u/mohit_aghera
[17] https://www.drupal.org/u/neclimdul
[18] https://www.drupal.org/u/poker10
[19] https://www.drupal.org/u/xjm
[20] https://www.drupal.org/u/catch
[21] https://www.drupal.org/u/larowlan
[22] https://www.drupal.org/u/longwave
[23] https://www.drupal.org/u/mcdruid
[24] https://www.drupal.org/u/poker10
[25]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3557473

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news