CVE-2012-2922
Published: 21 May 2012
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.
Notes
| Author | Note |
|---|---|
| jdstrand | installation path is known when using distribution packages |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
drupal7 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
(precise was needed)
|
|
| quantal |
Ignored
(reached end-of-life)
|
|
| raring |
Ignored
(reached end-of-life)
|
|
| saucy |
Ignored
(reached end-of-life)
|
|
| trusty |
Not vulnerable
(7.26-1)
|
|
| upstream |
Released
(7.15)
|
|
| utopic |
Not vulnerable
(7.26-1)
|
|
| vivid |
Not vulnerable
(7.26-1)
|
|
| wily |
Not vulnerable
(7.26-1)
|
|
| xenial |
Not vulnerable
(7.26-1)
|
|
| yakkety |
Not vulnerable
(7.26-1)
|
|
| zesty |
Not vulnerable
(7.26-1)
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2922
- http://secunia.com/advisories/49131
- http://archives.neohapsis.com/archives/bugtraq/2012-05/0055.html
- http://archives.neohapsis.com/archives/bugtraq/2012-05/0053.html
- http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html
- NVD
- Launchpad
- Debian