[IT-SecNots] [Security-news] Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-093

Project: Taxonomy access fix [1]
Version: 8.x-2.68.x-2.58.x-2.4
Date: 2019-December-11
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module extends access handling of Drupal Core's Taxonomy module.

The module doesn't sufficiently check,

  * if a given entity should be access controlled, defaulting to allowing
    access even to unpublished Taxonomy Terms.
  * if certain administrative routes should be access controlled, defaulting
    to allowing access even to users without permission to access these
    administrative routes.

The vulnerability is mitigated by the facts, that

  * the user interface to change the status of Taxonomy Terms has been
    released in Drupal Core 8.8 and a custom or contributed module is 
required
    in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
  * all entity operations (except the view operation) available on affected
    administrative routes still require appropriate permissions.
  * an attacker must have a role with permission to either access content or
    view a Taxonomy Term in a vocabulary.

Solution: 
Install the latest version:

  * If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy
    Access Fix 8.x-2.7 [3]

Also see the Taxonomy Access Fix project page [4].

Reported By: 
  * guedressel [5]

Fixed By: 
  * Julian Pustkuchen [6]
  * Patrick Fey [7]
  * Oleh Vehera [8]
  * guedressel [9]

Coordinated By: 
  * Greg Knaddison [10] of the Drupal Security Team
  * Damien McKenna [11] of the Drupal Security Team


[1] https://www.drupal.org/project/taxonomy_access_fix
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/taxonomy_access_fix/releases/8.x-2.7
[4] https://www.drupal.org/project/taxonomy_access_fix
[5] https://www.drupal.org/user/266710
[6] https://www.drupal.org/user/291091
[7] https://www.drupal.org/user/998680
[8] https://www.drupal.org/user/3260314
[9] https://www.drupal.org/user/266710
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/damienmckenna

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news