[IT-SecNots] [Security-news] Universally Unique IDentifier - Moderately critical - Access bypass - SA-CONTRIB-2019-052

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-052

Project: Universally Unique IDentifier [1]
Date: 2019-May-29
Security risk: *Moderately critical* 14∕25
AC:Complex/A:User/CI:All/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module provides an API for adding universally unique identifiers (UUID)
to Drupal objects, most notably entities.

The module has a privilege escalation vulnerability when it's used in
combination with Services+REST server.

This vulnerability is mitigated by the fact that an attacker must
authenticate to the site, services module must be configured on the site and
the user update resource enabled.

Solution: 
Install the latest version:

  * If you use the Universally Unique IDentifier module for Drupal 7.x,
    upgrade to UUID 7.x-1.3 [3]

Also see the Universally Unique IDentifier [4] project page.

Reported By: 
  * Gustavo Iñiguez Goia  [5]

Fixed By: 
  * Manuel Garcia  [6]
  * Samuel Mortenson  [7] of the Drupal Security Team

Coordinated By: 
  * Samuel Mortenson  [8] of the Drupal Security Team


[1] https://www.drupal.org/project/uuid
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/uuid/releases/7.x-1.3
[4] https://www.drupal.org/project/uuid
[5] https://www.drupal.org/user/3419891
[6] https://www.drupal.org/user/213194
[7] https://www.drupal.org/user/2582268
[8] https://www.drupal.org/user/2582268

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news