High severity7.5NVD Advisory· Published Mar 16, 2017· Updated Jun 17, 2026
CVE-2017-6377
CVE-2017-6377
Description
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.2.0, < 8.2.7 | 8.2.7 |
drupal/drupalPackagist | >= 8.2.0, < 8.2.7 | 8.2.7 |
Affected products
15cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*
- ghsa-coords2 versions
>= 8.2.0, < 8.2.7+ 1 more
- (no CPE)range: >= 8.2.0, < 8.2.7
- (no CPE)range: >= 8.2.0, < 8.2.7
- Range: 8.2.x versions before 8.2.7
Patches
Vulnerability mechanics
References
7- www.securityfocus.com/bid/96919nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-w7qx-vwr9-2j3rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6377ghsaADVISORY
- www.drupal.org/SA-2017-001nvdVendor AdvisoryWEB
- www.securitytracker.com/id/1038058nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6377.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6377.yamlghsaWEB
News mentions
0No linked articles in our index yet.