Date:
Wednesday, Apr 19th, 2023
Advisory ID:
BACKDROP-SA-CORE-2023-005
Security risk:
Moderately Critical
Vulnerability:
Access bypass
Versions affected:
- Backdrop Core 1.24.x versions prior to 1.24.2
- Backdrop Core 1.23.x versions prior to 1.23.4
Backdrop versions 1.22 and prior do not receive security coverage.
Description:
File downloads do not sufficiently sanitize file paths in certain situations. This may result in people gaining access to private files to which they should not have access.
Some sites may require configuration changes following this security release. Review the release notes if you have issues accessing private files after updating.
- All Backdrop sites running on Windows web servers are vulnerable.
- Backdrop sites on Linux web servers are vulnerable only with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.
Solution:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.24.2 release page. See the update instructions, if needed.
Reported By:
- Heine of the Drupal Security Team
- Conrad Lara
- Guy Elsmore-Paddock
Fixed By:
- Michael Hess of the Drupal Security Team
- Heine of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- David Rothstein of the Drupal Security Team
- xjm of the Drupal Security Team
- Wim Leers
- Damien McKenna of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Conrad Lara
- Peter Wolanin of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Benji Fisher of the Drupal Security Team
- Juraj Nemec, provisional member of the Drupal Security Team
- Dave Long of the Drupal Security Team
- Kim Pepper
- Alex Pott of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Jen Lampton of the Backdrop Security Team
- Nate Lampton of the Backdrop Security Team