CVE-2020-13671
Published: 20 November 2020
Summary
CVE-2020-13671 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Drupal Drupal. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 14.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Drupal core fails to properly sanitize certain filenames during file uploads, which can cause uploaded content to be interpreted under an incorrect extension. This leads to the file being served with the wrong MIME type or executed as PHP code under specific hosting configurations. The flaw affects Drupal Core versions 9.0 prior to 9.0.8, 8.9 prior to 8.9.9, 8.8 prior to 8.8.11, and 7 prior to 7.74, and is tracked under CWE-434.
An authenticated attacker with the ability to upload files can exploit the issue over the network with low complexity. Successful exploitation grants full control over confidentiality, integrity, and availability by allowing malicious files to be stored and later executed or served in an unintended manner, corresponding to the CVSS 8.8 rating.
The referenced Drupal security advisory SA-CORE-2020-012 and associated Fedora package announcements direct administrators to apply the fixed releases (7.74, 8.8.11, 8.9.9, or 9.0.8) as the primary mitigation. No public details on in-the-wild exploitation are provided in the source references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-2168
Vulnerability details
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects:…
more
Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation and sanitization of filename inputs during file uploads to block dangerous extension manipulation.
Requires prompt application of the vendor patches (7.74/8.8.11/8.9.9/9.0.8) that correct the filename sanitization flaw.
Provides malicious-code scanning and execution blocking for uploaded files that evade filename sanitization.