[IT-SecNots] [Security-news] Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018- 071

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-071

Project: Decoupled Router [1]
Version: 8.x-1.18.x-1.0
Date: 2018-October-31
Security risk: *Critical* 15∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module enables you to resolve the provided Drupal path in order to find
the canonical path and information about the resolved entity. This
information includes entity type ID, entity ID, entity UUID and entity label.

The module doesn't sufficiently check access before displaying entity labels.
This leads to the display of labels on entities that are not be accessible,
for example; titles of unpublished content.

Solution: 
Install the latest version:

  * If you use the Decoupled Router module for Drupal 8.x, upgrade to
    Decoupled Router 8.x-1.2 [3]

Also see the Decoupled Router [4] project page.

Reported By: 
  * Rainer Friederich  [5]

Fixed By: 
  * Mateu Aguiló Bosch  [6]

Coordinated By: 
  * Greg Knaddison (greggles) [7] of the Drupal Security Team
  * Michael Hess (mlhess) [8] of the Drupal Security Team


[1] https://www.drupal.org/project/decoupled_router
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/decoupled_router/releases/8.x-1.2
[4] https://www.drupal.org/project/decoupled_router
[5] https://www.drupal.org/user/3066367
[6] https://www.drupal.org/user/550110
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/102818

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news