Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-bge7-rqsx-gfee

Summary

Access bypass in Drupal core
The file download facility does not sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

Aliases

alias	CVE-2023-31250

alias	GHSA-8849-cv9f-vccm

Fixed_packages

url	pkg:composer/drupal/core@7.96.0
purl	pkg:composer/drupal/core@7.96.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@7.96.0

url	pkg:composer/drupal/core@9.4.14
purl	pkg:composer/drupal/core@9.4.14
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.4.14

url	pkg:composer/drupal/core@9.5.8
purl	pkg:composer/drupal/core@9.5.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.5.8

url	pkg:composer/drupal/core@10.0.8
purl	pkg:composer/drupal/core@10.0.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.8

url	pkg:composer/drupal/drupal@7.96.0
purl	pkg:composer/drupal/drupal@7.96.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@7.96.0

url	pkg:composer/drupal/drupal@9.4.14
purl	pkg:composer/drupal/drupal@9.4.14
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.14

url	pkg:composer/drupal/drupal@9.5.8
purl	pkg:composer/drupal/drupal@9.5.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.5.8

url	pkg:composer/drupal/drupal@10.0.8
purl	pkg:composer/drupal/drupal@10.0.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.0.8

Affected_packages

url pkg:composer/drupal/core@7.0.0

purl pkg:composer/drupal/core@7.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2g67-a42m-qfbh

vulnerability	VCID-6rtn-zphz-sydn

vulnerability	VCID-84eq-cq89-9qhm

vulnerability	VCID-9nk8-dban-g7h9

vulnerability	VCID-a3s2-c4k2-4ufn

vulnerability	VCID-a4u4-ga84-wyf9

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-e12q-qavs-qybu

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-ey9c-4yhy-3qa5

vulnerability	VCID-mscp-wvvx-zfh3

vulnerability	VCID-n5n3-p5yy-13d9

vulnerability	VCID-pmmq-8s2m-h7dp

vulnerability	VCID-qsuc-53pg-zkda

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-wsv7-je8g-sqet

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

vulnerability	VCID-yygb-pp11-5udj

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@7.0.0

url pkg:composer/drupal/core@9.0.0

purl pkg:composer/drupal/core@9.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-31qy-vagp-83b6

vulnerability	VCID-avmn-kqky-83dd

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-nacy-y1qt-5yhb

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-wsv7-je8g-sqet

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.0.0

url pkg:composer/drupal/core@9.5.0

purl pkg:composer/drupal/core@9.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bge7-rqsx-gfee

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@9.5.0

url pkg:composer/drupal/core@10.0.0

purl pkg:composer/drupal/core@10.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-54qh-fz2a-cyh6

vulnerability	VCID-bge7-rqsx-gfee

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.0

url pkg:composer/drupal/drupal@7.0.0

purl pkg:composer/drupal/drupal@7.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2g67-a42m-qfbh

vulnerability	VCID-9cr8-u5tp-yuc9

vulnerability	VCID-9nk8-dban-g7h9

vulnerability	VCID-a4u4-ga84-wyf9

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-dnc7-jg8m-8fh3

vulnerability	VCID-e69p-v2ws-vufj

vulnerability	VCID-e8un-nbkk-cbf9

vulnerability	VCID-nn8g-m52e-5kfe

vulnerability	VCID-nwza-zzn3-u3eb

vulnerability	VCID-pmmq-8s2m-h7dp

vulnerability	VCID-s144-c7ps-aqbj

vulnerability	VCID-tbah-jrah-a3fg

vulnerability	VCID-tpzm-u3qp-akc8

vulnerability	VCID-upk3-jyze-e3gx

vulnerability	VCID-wsv7-je8g-sqet

vulnerability	VCID-wszp-2es5-z7fy

vulnerability	VCID-x34m-u169-1bce

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@7.0.0

url pkg:composer/drupal/drupal@9.4.0

purl pkg:composer/drupal/drupal@9.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3xk4-qwaq-5yaj

vulnerability	VCID-a7ss-tkb6-gkge

vulnerability	VCID-bge7-rqsx-gfee

vulnerability	VCID-dyhz-g3nv-yuc3

vulnerability	VCID-rd4g-h1j9-23cb

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.4.0

url pkg:composer/drupal/drupal@9.5.0

purl pkg:composer/drupal/drupal@9.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bge7-rqsx-gfee

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@9.5.0

url pkg:composer/drupal/drupal@10.0.0

purl pkg:composer/drupal/drupal@10.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bge7-rqsx-gfee

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/drupal@10.0.0

References

reference_url	https://www.drupal.org/sa-core-2023-005
reference_id
reference_type
scores
url	https://www.drupal.org/sa-core-2023-005

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-31250
reference_id	CVE-2023-31250
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-31250

reference_url	https://github.com/advisories/GHSA-8849-cv9f-vccm
reference_id	GHSA-8849-cv9f-vccm
reference_type
scores
url	https://github.com/advisories/GHSA-8849-cv9f-vccm

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	863
name	Incorrect Authorization
description	The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bge7-rqsx-gfee

Vulnerability Instance