Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-a7ss-tkb6-gkge
Summary
Improper access control
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.
Aliases
0
alias CVE-2022-25275
1
alias GHSA-xh3v-6f9j-wxw3
2
alias GMS-2022-3362
Fixed_packages
0
url pkg:composer/drupal/core@9.3.19
purl pkg:composer/drupal/core@9.3.19
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.3.19
1
url pkg:composer/drupal/core@9.4.3
purl pkg:composer/drupal/core@9.4.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.3
2
url pkg:composer/drupal/drupal@7.91.0
purl pkg:composer/drupal/drupal@7.91.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@7.91.0
3
url pkg:composer/drupal/drupal@9.3.19
purl pkg:composer/drupal/drupal@9.3.19
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.3.19
4
url pkg:composer/drupal/drupal@9.4.3
purl pkg:composer/drupal/drupal@9.4.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.3
Affected_packages
0
url pkg:composer/drupal/core@7.0.0
purl pkg:composer/drupal/core@7.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2g67-a42m-qfbh
1
vulnerability VCID-6rtn-zphz-sydn
2
vulnerability VCID-84eq-cq89-9qhm
3
vulnerability VCID-9nk8-dban-g7h9
4
vulnerability VCID-a3s2-c4k2-4ufn
5
vulnerability VCID-a4u4-ga84-wyf9
6
vulnerability VCID-a7ss-tkb6-gkge
7
vulnerability VCID-bge7-rqsx-gfee
8
vulnerability VCID-e12q-qavs-qybu
9
vulnerability VCID-e69p-v2ws-vufj
10
vulnerability VCID-e8un-nbkk-cbf9
11
vulnerability VCID-ey9c-4yhy-3qa5
12
vulnerability VCID-mscp-wvvx-zfh3
13
vulnerability VCID-n5n3-p5yy-13d9
14
vulnerability VCID-pmmq-8s2m-h7dp
15
vulnerability VCID-qsuc-53pg-zkda
16
vulnerability VCID-tpzm-u3qp-akc8
17
vulnerability VCID-wsv7-je8g-sqet
18
vulnerability VCID-wszp-2es5-z7fy
19
vulnerability VCID-x34m-u169-1bce
20
vulnerability VCID-yygb-pp11-5udj
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@7.0.0
1
url pkg:composer/drupal/core@8.0.0
purl pkg:composer/drupal/core@8.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2989-fmjz-nkby
1
vulnerability VCID-2fas-m6vh-myhc
2
vulnerability VCID-2t34-82p3-73c3
3
vulnerability VCID-31qy-vagp-83b6
4
vulnerability VCID-3xk4-qwaq-5yaj
5
vulnerability VCID-4dpp-gg2v-q3et
6
vulnerability VCID-56ze-2yw2-bfh8
7
vulnerability VCID-5c5c-m7ba-kqct
8
vulnerability VCID-7v89-2sss-hfaz
9
vulnerability VCID-9nk8-dban-g7h9
10
vulnerability VCID-a3s2-c4k2-4ufn
11
vulnerability VCID-a4u4-ga84-wyf9
12
vulnerability VCID-a7ss-tkb6-gkge
13
vulnerability VCID-ah3h-t9qa-gudr
14
vulnerability VCID-ard5-3cjv-1beu
15
vulnerability VCID-asm8-guag-b3ep
16
vulnerability VCID-avmn-kqky-83dd
17
vulnerability VCID-ay6b-1a7z-qkas
18
vulnerability VCID-bq2j-t19h-zyad
19
vulnerability VCID-dav9-pgdh-8yey
20
vulnerability VCID-dyhz-g3nv-yuc3
21
vulnerability VCID-e12q-qavs-qybu
22
vulnerability VCID-e8un-nbkk-cbf9
23
vulnerability VCID-egtv-y9w1-skgr
24
vulnerability VCID-jrhg-3271-tqdy
25
vulnerability VCID-kzrs-mrga-nyej
26
vulnerability VCID-mm13-6dhq-nqfb
27
vulnerability VCID-myja-t33q-q3cv
28
vulnerability VCID-nacy-y1qt-5yhb
29
vulnerability VCID-ng6g-hvc2-bkg4
30
vulnerability VCID-p54u-b18k-jyft
31
vulnerability VCID-pgnc-fq4m-3kaz
32
vulnerability VCID-pmmq-8s2m-h7dp
33
vulnerability VCID-pnme-dc73-efcb
34
vulnerability VCID-qsuc-53pg-zkda
35
vulnerability VCID-rd4g-h1j9-23cb
36
vulnerability VCID-rsc6-y1uv-6bfq
37
vulnerability VCID-t89y-c9hq-9bhk
38
vulnerability VCID-ta99-gcmk-2qc8
39
vulnerability VCID-tpzm-u3qp-akc8
40
vulnerability VCID-w4ks-ufnz-vfav
41
vulnerability VCID-wapd-e3mu-sffn
42
vulnerability VCID-wsv7-je8g-sqet
43
vulnerability VCID-wszp-2es5-z7fy
44
vulnerability VCID-x34m-u169-1bce
45
vulnerability VCID-y1nb-prqc-suaj
46
vulnerability VCID-yq4q-hydz-vuga
47
vulnerability VCID-yygb-pp11-5udj
48
vulnerability VCID-zqer-y4s4-hqhy
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@8.0.0
2
url pkg:composer/drupal/core@9.4.0
purl pkg:composer/drupal/core@9.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3xk4-qwaq-5yaj
1
vulnerability VCID-a7ss-tkb6-gkge
2
vulnerability VCID-dyhz-g3nv-yuc3
3
vulnerability VCID-rd4g-h1j9-23cb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.0
3
url pkg:composer/drupal/drupal@7.0.0
purl pkg:composer/drupal/drupal@7.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2g67-a42m-qfbh
1
vulnerability VCID-9cr8-u5tp-yuc9
2
vulnerability VCID-9nk8-dban-g7h9
3
vulnerability VCID-a4u4-ga84-wyf9
4
vulnerability VCID-a7ss-tkb6-gkge
5
vulnerability VCID-bge7-rqsx-gfee
6
vulnerability VCID-dnc7-jg8m-8fh3
7
vulnerability VCID-e69p-v2ws-vufj
8
vulnerability VCID-e8un-nbkk-cbf9
9
vulnerability VCID-nn8g-m52e-5kfe
10
vulnerability VCID-nwza-zzn3-u3eb
11
vulnerability VCID-pmmq-8s2m-h7dp
12
vulnerability VCID-s144-c7ps-aqbj
13
vulnerability VCID-tbah-jrah-a3fg
14
vulnerability VCID-tpzm-u3qp-akc8
15
vulnerability VCID-upk3-jyze-e3gx
16
vulnerability VCID-wsv7-je8g-sqet
17
vulnerability VCID-wszp-2es5-z7fy
18
vulnerability VCID-x34m-u169-1bce
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@7.0.0
4
url pkg:composer/drupal/drupal@8.0.0
purl pkg:composer/drupal/drupal@8.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2989-fmjz-nkby
1
vulnerability VCID-31qy-vagp-83b6
2
vulnerability VCID-3xk4-qwaq-5yaj
3
vulnerability VCID-56ze-2yw2-bfh8
4
vulnerability VCID-5c5c-m7ba-kqct
5
vulnerability VCID-6rtn-zphz-sydn
6
vulnerability VCID-9nk8-dban-g7h9
7
vulnerability VCID-a4u4-ga84-wyf9
8
vulnerability VCID-a7ss-tkb6-gkge
9
vulnerability VCID-ah3h-t9qa-gudr
10
vulnerability VCID-ard5-3cjv-1beu
11
vulnerability VCID-asm8-guag-b3ep
12
vulnerability VCID-avmn-kqky-83dd
13
vulnerability VCID-ay6b-1a7z-qkas
14
vulnerability VCID-bndv-n7w9-43b4
15
vulnerability VCID-bq2j-t19h-zyad
16
vulnerability VCID-dnc7-jg8m-8fh3
17
vulnerability VCID-dyhz-g3nv-yuc3
18
vulnerability VCID-e8un-nbkk-cbf9
19
vulnerability VCID-egtv-y9w1-skgr
20
vulnerability VCID-eyew-pw17-ryfj
21
vulnerability VCID-ks17-b29e-73au
22
vulnerability VCID-mm13-6dhq-nqfb
23
vulnerability VCID-mscp-wvvx-zfh3
24
vulnerability VCID-n5n3-p5yy-13d9
25
vulnerability VCID-nacy-y1qt-5yhb
26
vulnerability VCID-ng6g-hvc2-bkg4
27
vulnerability VCID-nn8g-m52e-5kfe
28
vulnerability VCID-pmmq-8s2m-h7dp
29
vulnerability VCID-pnme-dc73-efcb
30
vulnerability VCID-r4ja-mndm-uyge
31
vulnerability VCID-rd4g-h1j9-23cb
32
vulnerability VCID-rsc6-y1uv-6bfq
33
vulnerability VCID-s5qd-cpvc-c3cd
34
vulnerability VCID-ta99-gcmk-2qc8
35
vulnerability VCID-tbah-jrah-a3fg
36
vulnerability VCID-tbk2-zprq-27c8
37
vulnerability VCID-tpzm-u3qp-akc8
38
vulnerability VCID-w3x8-db6e-kued
39
vulnerability VCID-w4ks-ufnz-vfav
40
vulnerability VCID-wapd-e3mu-sffn
41
vulnerability VCID-wsv7-je8g-sqet
42
vulnerability VCID-wszp-2es5-z7fy
43
vulnerability VCID-x34m-u169-1bce
44
vulnerability VCID-y1nb-prqc-suaj
45
vulnerability VCID-zqer-y4s4-hqhy
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@8.0.0
5
url pkg:composer/drupal/drupal@9.4.0
purl pkg:composer/drupal/drupal@9.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3xk4-qwaq-5yaj
1
vulnerability VCID-a7ss-tkb6-gkge
2
vulnerability VCID-bge7-rqsx-gfee
3
vulnerability VCID-dyhz-g3nv-yuc3
4
vulnerability VCID-rd4g-h1j9-23cb
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.0
References
0
reference_url https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf
reference_id
reference_type
scores
url https://github.com/drupal/core/commit/2d5f47fc8a166115f56c2330a81e83abe22445cf
1
reference_url https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116
reference_id
reference_type
scores
url https://github.com/drupal/core/commit/e2fbf63700819cb470a1be425798f1a3f2020116
2
reference_url https://www.drupal.org/sa-core-2022-012
reference_id
reference_type
scores
url https://www.drupal.org/sa-core-2022-012
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-25275
reference_id CVE-2022-25275
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2022-25275
4
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml
reference_id CVE-2022-25275.YAML
reference_type
scores
url https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25275.yaml
5
reference_url https://github.com/advisories/GHSA-xh3v-6f9j-wxw3
reference_id GHSA-xh3v-6f9j-wxw3
reference_type
scores
url https://github.com/advisories/GHSA-xh3v-6f9j-wxw3
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 284
name Improper Access Control
description The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-a7ss-tkb6-gkge