CVE-2020-13670: Exposure of Resource to Wrong Sphere

February 12, 2022 (updated February 26, 2022)

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

References

github.com/advisories/GHSA-mmjr-5q74-p3m4
nvd.nist.gov/vuln/detail/CVE-2020-13670
www.drupal.org/sa-core-2020-011

Detect and mitigate CVE-2020-13670 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →