Access Control Flaw in Drupal Image Module
CVE-2022-25275

7.5HIGH

Key Information:

Vendor: Drupal
Status: Core
Vendor: CVE Published:; 26 April 2023

What is CVE-2022-25275?

The Image module in Drupal exhibits an access control issue that may allow unauthorized access to image files not stored in the standard public directory. Specifically, when generating derivative images, the module fails to properly verify access for files housed in custom file systems or schemes provided by certain contributed modules. This flaw arises when the site's configuration is set to allow insecure file derivatives, which should be avoided as the default configuration is set to disallow such practices. Administrators should review their settings post-update, especially if customization has been applied, to maintain file security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Core 9.4 < 9.4.3

Core 9.3 < 9.3.19

Core 7 < 7.91

References

https://www.drupal.org/sa-core-2022-012

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 26, 2023
Vulnerability Reserved
Feb 16, 2022

JSON

Drupal

What is CVE-2022-25275?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.