Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026
  • Date: Wed, 1 Jul 2020 16:36:58 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2020-026

Project: Renderkit [1]
Version: 7.x-1.x-dev
Date: 2020-July-01
Security risk: *Less critical* 9∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
The renderkit module contains components which can transform the display of
field items sent to it.

Some of these components do not respect the '#access' property on the field
render element, and thus can make rendered field values visible to visitors
who would otherwise not be allowed to see those field values.

This only occurs if all of the following conditions are true:

* Your site has a field where viewing access is restricted on field level,
e.g. using the "Field permissions" module.
* The access-restricted field is displayed using the "Field with formatter"
entity display from renderkit, in combination with one of the affected
field display processor components.

Solution: 
If a site is affected there are 2 steps to fix this issue on a site:

.... Step 1: Install the latest version of renderkit:

* If you use the renderkit module for Drupal 7.x, upgrade to Renderkit
7.x-1.14 [3].

.... Step 2: Review your custom modules.


Look for classes that implement FieldDisplayProcessorInterface.
Consider to extend the FieldDisplayProcessorBase class instead of
implementing the interface.

Also see the Renderkit [4] project page.

Reported By: 
* Andreas Hennings [5]

Fixed By: 
* Andreas Hennings [6]
* mibfire [7]

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/renderkit
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/renderkit/releases/7.x-1.14
[4] https://www.drupal.org/project/renderkit
[5] https://www.drupal.org/user/459338
[6] https://www.drupal.org/user/459338
[7] https://www.drupal.org/user/155136
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026, security-news, 01.07.2020

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang