{"id":"CVE-2017-6377","details":"When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.","aliases":["GHSA-w7qx-vwr9-2j3r"],"modified":"2026-04-10T04:01:52.973418Z","published":"2017-03-16T14:59:00.237Z","references":[{"type":"WEB","url":"http://www.securitytracker.com/id/1038058"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/96919"},{"type":"ADVISORY","url":"https://www.drupal.org/SA-2017-001"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"0"},{"last_affected":"fb83de52e58e8fb3303de7aa9834f99ae128564a"},{"introduced":"0"},{"last_affected":"d53f5234293d7d1a3bc8083ad13d7c850c834583"},{"introduced":"0"},{"last_affected":"121cf4e23ae2f475f785939ab504ed2a1d52dfd0"},{"introduced":"0"},{"last_affected":"5899fe1f5b0f9c1f9feaa893f5ead14955d6231c"},{"introduced":"0"},{"last_affected":"407b39f9602321dd0e979006c929339ec34f0d6c"},{"introduced":"0"},{"last_affected":"40bc6813016bc7de89986998a75fa13d76ce3152"},{"introduced":"0"},{"last_affected":"6ffaabfece5d21e41c1ae53c8e3a8f6ffa94582a"},{"introduced":"0"},{"last_affected":"ce4cc6593bb01ab2b7817ae54beed9632f6e850e"},{"introduced":"0"},{"last_affected":"a5faa6332c371d90777269ceb3bccda7c4bd0ac3"},{"introduced":"0"},{"last_affected":"7b4d06507ae7134b0906ec49480b09517f55fc82"},{"introduced":"0"},{"last_affected":"6d42807a7fb20809a37898453d7b8bad0c9fdc29"},{"introduced":"0"},{"last_affected":"711288453bb031c0ad5324f5361339d51a8dd511"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.2.0"},{"introduced":"0"},{"last_affected":"8.2.0-beta1"},{"introduced":"0"},{"last_affected":"8.2.0-beta2"},{"introduced":"0"},{"last_affected":"8.2.0-beta3"},{"introduced":"0"},{"last_affected":"8.2.0-rc1"},{"introduced":"0"},{"last_affected":"8.2.0-rc2"},{"introduced":"0"},{"last_affected":"8.2.1"},{"introduced":"0"},{"last_affected":"8.2.2"},{"introduced":"0"},{"last_affected":"8.2.3"},{"introduced":"0"},{"last_affected":"8.2.4"},{"introduced":"0"},{"last_affected":"8.2.5"},{"introduced":"0"},{"last_affected":"8.2.6"}]}}],"versions":["1.0","2.0","3.0.1","5.0-beta-1","5.0-beta-2","5.0-rc-1","5.0-rc-2","6.0-beta-1","6.0-beta-2","6.0-beta-3","6.0-beta-4","6.0-rc-1","6.0-rc-2","6.0-rc-3","7.0","7.0-alpha1","7.0-alpha2","7.0-alpha3","7.0-alpha4","7.0-alpha5","7.0-alpha6","7.0-alpha7","7.0-beta1","7.0-beta2","7.0-beta3","7.0-rc-1","7.0-rc-2","7.0-rc-3","7.0-rc-4","7.0-unstable-1","7.0-unstable-10","7.0-unstable-2","7.0-unstable-3","7.0-unstable-4","7.0-unstable-5","7.0-unstable-6","7.0-unstable-7","8.0-alpha10","8.0-alpha11","8.0-alpha12","8.0-alpha13","8.0-alpha2","8.0-alpha3","8.0-alpha4","8.0-alpha5","8.0-alpha6","8.0-alpha7","8.0-alpha8","8.0-alpha9","8.0.0","8.0.0-alpha14","8.0.0-alpha15","8.0.0-beta1","8.0.0-beta10","8.0.0-beta11","8.0.0-beta12","8.0.0-beta13","8.0.0-beta14","8.0.0-beta15","8.0.0-beta16","8.0.0-beta2","8.0.0-beta3","8.0.0-beta4","8.0.0-beta5","8.0.0-beta6","8.0.0-beta7","8.0.0-beta9","8.0.0-rc1","8.0.0-rc2","8.0.0-rc3","8.0.0-rc4","8.1.0-beta1","8.2.0","8.2.0-beta1","8.2.0-beta2","8.2.0-beta3","8.2.0-rc1","8.2.0-rc2","8.2.1","8.2.2","8.2.3","8.2.4","8.2.5","8.2.6","start"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6377.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}