it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029
- Date: Wed, 27 Feb 2019 18:12:38 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-029
Project: Rabbit Hole [1]
Version: 7.x-2.x-dev
Date: 2019-February-27
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
The Rabbit Hole module allows administrators to control what should happen
when a regular user tries to view an entity at its own page; for example, it
may deliver a 403 Access Denied or 404 Page Not Found response, or redirect
the user to another path.
The module doesn't respect the Rabbit Hole settings when an entity is being
requested with a certain header. This could lead to certain data being
exposed even if it shouldn't be. The vulnerability is mitigated by the fact
that the user also needs permission to view the content being requested.
Solution:
Install version 7.x-2.25, available at
https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25 [3].
Reported By:
* Fabian Iwand [4]
Fixed By:
* Fabian Iwand [5]
* M Parker [6]
* Olof Bokedal [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/rabbit_hole
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25
[4] https://www.drupal.org/user/1632364
[5] https://www.drupal.org/user/1632364
[6] https://www.drupal.org/user/536298
[7] https://www.drupal.org/user/1198438
[8] https://www.drupal.org/user/36762
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029, security-news, 27.02.2019
Archiv bereitgestellt durch MHonArc 2.6.19.