[IT-SecNots] [Security-news] Exif - Critical - Access bypass - SA-CONTRIB-2018-017

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-017

Project: Exif [1]
Version: 8.x-1.x-dev
Date: 2018-March-21
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module enables you to retrieve image metadata and use them in fields or
title.

The module doesn't sufficiently restrict access to module setting pages
thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must have
permission to create entities of certain content entity types.

Solution: 
Install the latest version:

  * If you use the Exif module for Drupal 8.x, upgrade to  Exif 8.x-1.1 [3]

Reported By: 
  * Jean-Francois Hovinne  [4]

Fixed By: 
  * jphautin  [5]
  * Jean-Francois Hovinne  [6]

Coordinated By: 
  * Damien McKenna  [7]


[1] https://www.drupal.org/project/exif
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/exif/releases/8.x-1.1
[4] https://www.drupal.org/user/77723
[5] https://www.drupal.org/user/534338
[6] https://www.drupal.org/user/77723
[7] https://www.drupal.org/user/108450

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news