cvelistv5 - cve-2022-25277

CVE-2022-25277 (GCVE-0-2022-25277)

Vulnerability from cvelistv5 – Published: 2023-04-26 00:00 – Updated: 2025-02-03 18:41

Summary

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

Severity ?

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

Arbitrary PHP code execution

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-core-2022-014

Impacted products

	Vendor	Product	Version
	Drupal	Core	Affected: 9.4 , < 9.4.3 (custom) Affected: 9.3 , < 9.3.19 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:36:06.870Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.drupal.org/sa-core-2022-014"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-25277",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-03T18:41:13.134312Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-434",
                "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-03T18:41:34.551Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Core",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "9.4.3",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.19",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Arbitrary PHP code execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-26T00:00:00.000Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-core-2022-014"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2022-25277",
    "datePublished": "2023-04-26T00:00:00.000Z",
    "dateReserved": "2022-02-16T00:00:00.000Z",
    "dateUpdated": "2025-02-03T18:41:34.551Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndExcluding\": \"9.3.19\", \"matchCriteriaId\": \"5C7F59B6-66D0-4A58-B240-25C001836889\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.4.0\", \"versionEndExcluding\": \"9.4.3\", \"matchCriteriaId\": \"14FEC723-33EE-4E64-B221-86163C584F05\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.\"}]",
      "id": "CVE-2022-25277",
      "lastModified": "2024-11-21T06:51:55.907",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}]}",
      "published": "2023-04-26T15:15:08.710",
      "references": "[{\"url\": \"https://www.drupal.org/sa-core-2022-014\", \"source\": \"mlhess@drupal.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.drupal.org/sa-core-2022-014\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "mlhess@drupal.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-434\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-25277\",\"sourceIdentifier\":\"mlhess@drupal.org\",\"published\":\"2023-04-26T15:15:08.710\",\"lastModified\":\"2025-02-03T19:15:09.410\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"9.3.19\",\"matchCriteriaId\":\"5C7F59B6-66D0-4A58-B240-25C001836889\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.4.0\",\"versionEndExcluding\":\"9.4.3\",\"matchCriteriaId\":\"14FEC723-33EE-4E64-B221-86163C584F05\"}]}]}],\"references\":[{\"url\":\"https://www.drupal.org/sa-core-2022-014\",\"source\":\"mlhess@drupal.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.drupal.org/sa-core-2022-014\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"2c85b837-eb8b-40ed-9d74-228c62987387\", \"shortName\": \"drupal\", \"dateUpdated\": \"2023-04-26T00:00:00.000Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.\"}], \"affected\": [{\"vendor\": \"Drupal\", \"product\": \"Core\", \"versions\": [{\"version\": \"9.4\", \"status\": \"affected\", \"lessThan\": \"9.4.3\", \"versionType\": \"custom\"}, {\"version\": \"9.3\", \"status\": \"affected\", \"lessThan\": \"9.3.19\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://www.drupal.org/sa-core-2022-014\"}], \"problemTypes\": [{\"descriptions\": [{\"type\": \"text\", \"lang\": \"en\", \"description\": \"Arbitrary PHP code execution\"}]}]}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:36:06.870Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.drupal.org/sa-core-2022-014\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-25277\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-03T18:41:13.134312Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434 Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-03T18:41:10.106Z\"}}]}",
      "cveMetadata": "{\"state\": \"PUBLISHED\", \"cveId\": \"CVE-2022-25277\", \"assignerOrgId\": \"2c85b837-eb8b-40ed-9d74-228c62987387\", \"assignerShortName\": \"drupal\", \"dateUpdated\": \"2025-02-03T18:41:34.551Z\", \"dateReserved\": \"2022-02-16T00:00:00.000Z\", \"datePublished\": \"2023-04-26T00:00:00.000Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2022-AVI-667

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Drupal. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un contournement de la politique de sécurité.

La vulnérabilité CVE-2022-25277 affecte seulement les serveurs Apache.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Drupal Core versions 9.4.x antérieures à 9.4.3
Drupal Core versions antérieures à 9.3.19

Les versions de Drupal antérieures à 9.3 sont considérées obsolètes et ne reçoivent plus de correctifs de sécurité.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Drupal sa-core-2022-012 du 20 juillet 2022	None	vendor-advisory
Bulletin de sécurité Drupal sa-core-2022-013 du 20 juillet 2022	None	vendor-advisory
Bulletin de sécurité Drupal sa-core-2022-014 du 20 juillet 2022	None	vendor-advisory
Bulletin de sécurité Drupal sa-core-2022-015 du 20 juillet 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eDrupal Core versions 9.4.x ant\u00e9rieures \u00e0 9.4.3\u003c/li\u003e \u003cli\u003eDrupal Core versions ant\u00e9rieures \u00e0 9.3.19\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eLes versions de Drupal ant\u00e9rieures \u00e0 9.3 sont consid\u00e9r\u00e9es obsol\u00e8tes et ne re\u00e7oivent plus de correctifs de s\u00e9curit\u00e9.\u003c/p\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-25276",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25276"
    },
    {
      "name": "CVE-2022-25278",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25278"
    },
    {
      "name": "CVE-2022-25277",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25277"
    },
    {
      "name": "CVE-2022-25275",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25275"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-667",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-07-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de\ns\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code arbitraire \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n\nLa vuln\u00e9rabilit\u00e9 CVE-2022-25277 affecte seulement les serveurs Apache.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-012 du 20 juillet 2022",
      "url": "https://www.drupal.org/sa-core-2022-012"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-013 du 20 juillet 2022",
      "url": "https://www.drupal.org/sa-core-2022-013"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-014 du 20 juillet 2022",
      "url": "https://www.drupal.org/sa-core-2022-014"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-015 du 20 juillet 2022",
      "url": "https://www.drupal.org/sa-core-2022-015"
    }
  ]
}

CERTFR-2022-AVI-667

Vulnerability from certfr_avis - Published: - Updated:

La vulnérabilité CVE-2022-25277 affecte seulement les serveurs Apache.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Drupal Core versions 9.4.x antérieures à 9.4.3
Drupal Core versions antérieures à 9.3.19

Les versions de Drupal antérieures à 9.3 sont considérées obsolètes et ne reçoivent plus de correctifs de sécurité.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Drupal sa-core-2022-012 du 20 juillet 2022	None	vendor-advisory
Bulletin de sécurité Drupal sa-core-2022-013 du 20 juillet 2022	None	vendor-advisory
Bulletin de sécurité Drupal sa-core-2022-014 du 20 juillet 2022	None	vendor-advisory
Bulletin de sécurité Drupal sa-core-2022-015 du 20 juillet 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eDrupal Core versions 9.4.x ant\u00e9rieures \u00e0 9.4.3\u003c/li\u003e \u003cli\u003eDrupal Core versions ant\u00e9rieures \u00e0 9.3.19\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eLes versions de Drupal ant\u00e9rieures \u00e0 9.3 sont consid\u00e9r\u00e9es obsol\u00e8tes et ne re\u00e7oivent plus de correctifs de s\u00e9curit\u00e9.\u003c/p\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-25276",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25276"
    },
    {
      "name": "CVE-2022-25278",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25278"
    },
    {
      "name": "CVE-2022-25277",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25277"
    },
    {
      "name": "CVE-2022-25275",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25275"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-667",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-07-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Drupal. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de\ns\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code arbitraire \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n\nLa vuln\u00e9rabilit\u00e9 CVE-2022-25277 affecte seulement les serveurs Apache.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-012 du 20 juillet 2022",
      "url": "https://www.drupal.org/sa-core-2022-012"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-013 du 20 juillet 2022",
      "url": "https://www.drupal.org/sa-core-2022-013"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-014 du 20 juillet 2022",
      "url": "https://www.drupal.org/sa-core-2022-014"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal sa-core-2022-015 du 20 juillet 2022",
      "url": "https://www.drupal.org/sa-core-2022-015"
    }
  ]
}

GHSA-6955-67HM-VJJQ

Vulnerability from github – Published: 2022-08-06 09:33 – Updated: 2023-05-10 00:36

Summary

Drupal core arbitrary PHP code execution

Details

Drupal core sanitizes filenames with dangerous extensions upon upload and strips leading and trailing dots from filenames to prevent uploading server configuration files.

However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers.

This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

Severity ?

7.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "9.3.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4.0"
            },
            {
              "fixed": "9.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-06T09:33:38Z",
    "nvd_published_at": "2023-04-26T15:15:08Z",
    "severity": "HIGH"
  },
  "details": "Drupal core sanitizes filenames with dangerous extensions upon upload and strips leading and trailing dots from filenames to prevent uploading server configuration files.\n\nHowever, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers.\n\nThis issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.",
  "id": "GHSA-6955-67hm-vjjq",
  "modified": "2023-05-10T00:36:31Z",
  "published": "2022-08-06T09:33:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25277"
    },
    {
      "type": "WEB",
      "url": "https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2022-014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Drupal core arbitrary PHP code execution"
}

FKIE_CVE-2022-25277

Vulnerability from fkie_nvd - Published: 2023-04-26 15:15 - Updated: 2025-02-03 19:15

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	mlhess@drupal.org	https://www.drupal.org/sa-core-2022-014	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://www.drupal.org/sa-core-2022-014	Vendor Advisory

Impacted products

	Vendor	Product	Version
	drupal	drupal	*
	drupal	drupal	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C7F59B6-66D0-4A58-B240-25C001836889",
              "versionEndExcluding": "9.3.19",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "14FEC723-33EE-4E64-B221-86163C584F05",
              "versionEndExcluding": "9.4.3",
              "versionStartIncluding": "9.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads."
    }
  ],
  "id": "CVE-2022-25277",
  "lastModified": "2025-02-03T19:15:09.410",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-04-26T15:15:08.710",
  "references": [
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/sa-core-2022-014"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/sa-core-2022-014"
    }
  ],
  "sourceIdentifier": "mlhess@drupal.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GSD-2022-25277

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-25277

Aliases

CVE-2022-25277

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-25277",
    "id": "GSD-2022-25277"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-25277"
      ],
      "details": "Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.",
      "id": "GSD-2022-25277",
      "modified": "2023-12-13T01:19:27.066827Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@drupal.org",
        "ID": "CVE-2022-25277",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Core",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "9.4",
                          "version_value": "9.4.3"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "9.3",
                          "version_value": "9.3.19"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Drupal"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Arbitrary PHP code execution"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.drupal.org/sa-core-2022-014",
            "refsource": "CONFIRM",
            "url": "https://www.drupal.org/sa-core-2022-014"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=8.0.0,\u003c9.3.19||\u003e=9.4.0,\u003c9.4.3",
          "affected_versions": "All versions starting from 8.0.0 before 9.3.19, all versions starting from 9.4.0 before 9.4.3",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-434",
            "CWE-937"
          ],
          "date": "2023-05-09",
          "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) in drupal/core.",
          "fixed_versions": [
            "9.3.19",
            "9.4.3"
          ],
          "identifier": "GMS-2022-3361",
          "identifiers": [
            "CVE-2022-25277",
            "GHSA-6955-67hm-vjjq",
            "GMS-2022-3361"
          ],
          "not_impacted": "All versions before 8.0.0, all versions starting from 9.3.19 before 9.4.0, all versions starting from 9.4.3",
          "package_slug": "packagist/drupal/core",
          "pubdate": "2023-04-26",
          "solution": "Upgrade to versions 9.3.19, 9.4.3 or above.",
          "title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
          "urls": [
            "https://github.com/drupal/core/commit/1cd1830d79f221cc8490f53c2bb487dd07094f17",
            "https://github.com/drupal/core/commit/5d464ea4407c50e40dcf6cb5ee376e7b8dd36f3a",
            "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25277.yaml",
            "https://www.drupal.org/sa-core-2022-014",
            "https://github.com/advisories/GHSA-6955-67hm-vjjq"
          ],
          "uuid": "18c535f8-7c7d-4e28-b291-b1383d99f16d"
        },
        {
          "affected_range": "\u003e=8.0.0,\u003c9.3.19||\u003e=9.4.0,\u003c9.4.3",
          "affected_versions": "All versions starting from 8.0.0 before 9.3.19, all versions starting from 9.4.0 before 9.4.3",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-434",
            "CWE-937"
          ],
          "date": "2023-05-09",
          "description": "Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously does not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.",
          "fixed_versions": [],
          "identifier": "CVE-2022-25277",
          "identifiers": [
            "CVE-2022-25277"
          ],
          "not_impacted": "",
          "package_slug": "packagist/drupal/drupal",
          "pubdate": "2023-04-26",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Unrestricted Upload of File with Dangerous Type",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-25277",
            "https://www.drupal.org/sa-core-2022-014"
          ],
          "uuid": "47fae4a3-6ff7-4239-aaaa-7f0520b39658"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.4.3",
                "versionStartIncluding": "9.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.3.19",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@drupal.org",
          "ID": "CVE-2022-25277"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files\u0027 filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core\u0027s default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-434"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.drupal.org/sa-core-2022-014",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.drupal.org/sa-core-2022-014"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-05-09T19:26Z",
      "publishedDate": "2023-04-26T15:15Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-25277 (GCVE-0-2022-25277)

CERTFR-2022-AVI-667

Solution

CERTFR-2022-AVI-667

Solution

GHSA-6955-67HM-VJJQ

FKIE_CVE-2022-25277

GSD-2022-25277

Tags

Sightings

Nomenclature