Security Risk: 
Highly Critical
Vulnerability: 
Access Bypass
Affected Versions: 

CiviCRM Versions 5.10.2 and earlier

Fixed Versions: 

CiviCRM Version 5.10.3 and 5.7.4

Publication Date: 
Wednesday, February 20, 2019
Description: 

Most CiviCRM deployments manage access to file-attachments using a coarse-grained permission "access uploaded files".

In previous versions of CiviCRM, this access-control mechanism was overly permissive (and only secure in an unrealistically narrow range of use-cases). In newer versions, the permission "access uploaded files" remains a pre-requisite. Additionally, when downloading a file, the URL must include a signed access token. The token is generated by the server, and it provides access to a specific file for a limited time period.

Solutions: 

Upgrade to the latest CiviCRM version

NOTE: If you have an external integration which constructs URLs for file-attachments, then you may need to update it.

  • Updated support for Drupal Views is already included with the latest CiviCRM.
  • For other integrations, please use the Attachment.get API. The Attachment.get API provides a backward-compatible and forward-compatible way to determine the attachment's download URL (return=url) or raw content (return=content,mime_type), and it has improved support for transitive permissioning.
Credits: 

Guanhuan Chen of Compucorp for reporting of the issue

Seamus Lee of Australian Greens, Tim Otten of CiviCRM, and Eileen McNuaghton of Wikimedia for fixing the issue.

References: 

security/core#26