Access Control Flaw in Drupal Image Module
CVE-2022-25275

7.5HIGH

Key Information:

Vendor: Drupal
Status: Core
Vendor: CVE Published:; 26 April 2023

What is CVE-2022-25275?

The Image module in Drupal exhibits an access control issue that may allow unauthorized access to image files not stored in the standard public directory. Specifically, when generating derivative images, the module fails to properly verify access for files housed in custom file systems or schemes provided by certain contributed modules. This flaw arises when the site's configuration is set to allow insecure file derivatives, which should be avoided as the default configuration is set to disallow such practices. Administrators should review their settings post-update, especially if customization has been applied, to maintain file security.

Affected Version(s)

Core 9.4 < 9.4.3

Core 9.3 < 9.3.19

Core 7 < 7.91

References

https://www.drupal.org/sa-core-2022-012

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 26, 2023
Vulnerability Reserved
Feb 16, 2022