Home > Vulnerability Database > CVE-2022-25275

Mend.io Vulnerability Database

CVE-2022-25275

Good to know:

Date: April 26, 2023

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.

Language: PHP

Severity Score

7.5

Related Resources (4)

Url: https://github.com/drupal/drupal/commit/1f82337d1789424dcb1901eb68b820a7e141d8c5

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-25275

Url: https://www.drupal.org/sa-core-2022-012

Url: https://www.mend.io/vulnerability-database/CVE-2022-25275

Severity Score

7.5

Top Fix

Upgrade Version

Upgrade to version 7.91,9.3.19,9.4.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-25275

Good to know:

Date: April 26, 2023

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?