[IT-SecNots] [Security-news] Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2017-083

Project: Custom Permissions [1]
Version: 8.x-1.x-dev
Date: 2017-November-08
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
Custom Permissions is a lightweight module that allows permissions to be
created and managed through an administrative form.

When this module is in use, any user who is able to perform an action which
rebuilds some of Drupal's caches can trigger a scenario in which certain
pages protected by this module's custom permissions temporarily lose those
custom access controls, thereby leading to an access bypass vulnerability.

Solution: 
Install the latest version:

  * If you use the Custom Permissions module for Drupal 8, upgrade to Custom
    Permissions 8.x-1.1 [3]

Reported By: 
  * Michael Koza [4]
  * David Rothstein [5] of the Drupal Security Team

Fixed By: 
  * David Valdez [6] the module maintainer
  * David Rothstein [7] of the Drupal Security Team

Coordinated By: 
  * David Rothstein [8] of the Drupal Security Team


[1] https://www.drupal.org/project/config_perms
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_perms/releases/8.x-1.1
[4] https://www.drupal.org/user/2110062
[5] https://www.drupal.org/user/124982
[6] http://drupal.org/u/gnuget
[7] https://www.drupal.org/user/124982
[8] https://www.drupal.org/user/124982

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news