View online: https://www.drupal.org/sa-contrib-2022-057
Project: S3 File System [1] Date: 2022-September-28 Security risk: *Moderately critical* 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
Description: This module enables you to utilize S3-compatible storage as a Drupal filesystem.
The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.
This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary file paths, the site must have public or private takeover enabled, and the file metadata cache must be ignored.
Solution: Install the latest version:
* If you use the S3 File System module for Drupal 7.x, upgrade to S3 File System 7.x-2.14 [3]
Reported By: * Conrad Lara [4] * Guy Elsmore-Paddock [5]
Fixed By: * Conrad Lara [6] * Ron Shimshock [7]
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/s3fs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/s3fs/releases/7.x-2.14 [4] https://www.drupal.org/user/1790054 [5] https://www.drupal.org/user/156932 [6] https://www.drupal.org/user/1790054 [7] https://www.drupal.org/user/184990 [8] https://www.drupal.org/user/36762