Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2023-May-03
Vulnerability:
Access bypass
Affected versions:
<3.2.0
Description:
S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service.
This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them.
This vulnerability is mitigated by the fact that another vulnerability must already exist outside of s3fs.
Solution:
Install the latest version:
- If you use the S3 File System module for Drupal 8.x, upgrade to s3fs 8.x-3.2
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
