CVE-2016-3170: Drupal sensitive information disclosure
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.68159%
CWE
Published
5/17/2022
Updated
5/3/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
drupal/core | composer | >= 7.0, < 7.43 | 7.43 |
drupal/core | composer | >= 8.0, < 8.0.4 | 8.0.4 |
drupal/drupal | composer | >= 8.0, < 8.0.4 | 8.0.4 |
drupal/drupal | composer | >= 7.0, < 7.43 | 7.43 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability involves the 'forgot password' functionality in Drupal's User module, which is handled by the user_pass
function in user.pages.inc
. This function processes password reset requests. When the site allows email-based logins (via configuration/modules
), submitting an email address to this function would reveal whether the email is associated with a valid account (via the password reset email being sent). The patched versions likely modified this function to avoid confirming the existence of the email-username pair explicitly. The high confidence stems from the direct link between the vulnerability's description (password reset link leakage) and the core User module's password reset handling logic.