The Image module allows you to define and configure image fields.
The module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than private://.
This vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images.
Information disclosure issues like this one are not generally given security advisories (as described in PSA-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.
Install the latest version:
Drupal 11
- If you use Drupal 11.4.x, update to Drupal 11.4.4.
- If you use Drupal 11.3.x, update to Drupal 11.3.14.
- Drupal 11.2.x and below are end-of-life and do not receive security coverage.
Drupal 10
- If you use Drupal 10.6.x, update to Drupal 10.6.13.
- Drupal 10.5.x and below are end-of-life and do not receive security coverage.
- Benji Fisher (benjifisher) of the Drupal Security Team
- Kim Pepper (kim.pepper)
- Mohit Aghera (mohit_aghera)
- Benji Fisher (benjifisher) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team