CVE-2020-13670

7.5 HIGH

📋 TL;DR

This vulnerability allows attackers to access metadata of private files in Drupal by guessing file IDs, potentially exposing sensitive information. It affects Drupal Core versions 8.8.x before 8.8.10, 8.9.x before 8.9.6, and 9.0.x before 9.0.6.

💻 Affected Systems

Products:

• Drupal Core

Versions: 8.8.x prior to 8.8.10, 8.9.x prior to 8.9.6, 9.0.x prior to 9.0.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects sites using private file system for file storage.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could systematically enumerate private files to discover sensitive metadata, potentially leading to identification of confidential documents, user information, or system details.

🟠

Likely Case

Attackers gain access to file metadata they shouldn't see, which could include file names, sizes, timestamps, and potentially reveal sensitive information about system structure or content.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to metadata exposure without actual file content access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authentication but minimal technical skill needed for ID enumeration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.8.10, 8.9.6, or 9.0.6

Vendor Advisory: https://www.drupal.org/sa-core-2020-011

Restart Required: No

Instructions:

1. Backup your Drupal site. 2. Update Drupal Core to version 8.8.10, 8.9.6, or 9.0.6 or higher. 3. Clear all caches. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict file access

all

Implement additional access controls for private files through custom modules or .htaccess rules.

🧯 If You Can't Patch

• Implement strict access controls and monitoring for file access patterns
• Consider moving sensitive files to more secure storage with additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Copy

Check Drupal version via admin/reports/status or drush status command

Check Version:

Copy

drush status | grep 'Drupal version' or check admin/reports/status page

Verify Fix Applied:

Copy

Verify Drupal version is 8.8.10+, 8.9.6+, or 9.0.6+

📡 Detection & Monitoring

Log Indicators:

• Unusual patterns of file metadata requests
• Multiple failed file access attempts with sequential IDs

Network Indicators:

• Repeated requests to /system/files/ endpoints with varying IDs

SIEM Query:

Copy

source="drupal" AND (uri="/system/files/*" OR uri LIKE "/system/files/%") AND status=200 | stats count by src_ip, uri

📊 Metadata

CVE ID: CVE-2020-13670

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-668

Published: February 11, 2022

Last Updated: November 21, 2024

🔗 References

• https://www.drupal.org/sa-core-2020-011 Patch,Vendor Advisory
• https://www.drupal.org/sa-core-2020-011 Patch,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13670, you might also want to check these:

CVE-2025-15114 9.8

This critical vulnerability in Ksenia Security Lares 4.0 Home Automation version 1.6 exposes the ala...

Same vulnerability type (CWE-668)

CVE-2021-27236 9.8

This vulnerability in Mutare Voice (EVM) allows unauthenticated attackers to include local files via...

Same vulnerability type (CWE-668)

CVE-2022-24074 9.8

CVE-2022-24074 is a critical vulnerability in Whale Browser's default Whale Bridge extension that al...

Same vulnerability type (CWE-668)