CVE-2010-3092
Description
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| drupal | drupal | 5.0 | |
| drupal | drupal | 5.1 | |
| drupal | drupal | 5.2 | |
| drupal | drupal | 5.3 | |
| drupal | drupal | 5.4 | |
| drupal | drupal | 5.5 | |
| drupal | drupal | 5.6 | |
| drupal | drupal | 5.7 | |
| drupal | drupal | 5.8 | |
| drupal | drupal | 5.9 | |
| drupal | drupal | 5.10 | |
| drupal | drupal | 5.11 | |
| drupal | drupal | 5.12 | |
| drupal | drupal | 5.13 | |
| drupal | drupal | 5.14 | |
| drupal | drupal | 5.15 | |
| drupal | drupal | 5.16 | |
| drupal | drupal | 5.17 | |
| drupal | drupal | 5.18 | |
| drupal | drupal | 5.19 | |
| drupal | drupal | 5.20 | |
| drupal | drupal | 5.21 | |
| drupal | drupal | 5.22 | |
| drupal | drupal | 6.0 | |
| drupal | drupal | 6.1 | |
| drupal | drupal | 6.2 | |
| drupal | drupal | 6.3 | |
| drupal | drupal | 6.4 | |
| drupal | drupal | 6.5 | |
| drupal | drupal | 6.6 | |
| drupal | drupal | 6.7 | |
| drupal | drupal | 6.8 | |
| drupal | drupal | 6.9 | |
| drupal | drupal | 6.10 | |
| drupal | drupal | 6.11 | |
| drupal | drupal | 6.12 | |
| drupal | drupal | 6.13 | |
| drupal | drupal | 6.14 | |
| drupal | drupal | 6.15 | |
| drupal | drupal | 6.16 | |
| drupal | drupal | 6.17 | |
References
- http://drupal.org/node/880476
- http://marc.info/?l=oss-security&m=128418560705305&w=2
- http://marc.info/?l=oss-security&m=128440896914512&w=2
- http://www.debian.org/security/2010/dsa-2113
- http://www.securityfocus.com/bid/42391
- http://drupal.org/node/880476
- http://marc.info/?l=oss-security&m=128418560705305&w=2
- http://marc.info/?l=oss-security&m=128440896914512&w=2
- http://www.debian.org/security/2010/dsa-2113
- http://www.securityfocus.com/bid/42391
CWEs
CWE-264
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.