Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028
  • Date: Wed, 22 Jul 2020 19:21:21 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2020-028

Project: Apigee Edge [1]
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
The Apigee Edge module allows connecting a Drupal site to Apigee Edge in
order to build a developer portal. It contains an "Apigee Edge Teams"
submodule that provides shared app functionality by allowing developers to be
organized into teams.

The "Apigee Edge Teams" submodule has an information disclosure
vulnerability. The "Add team member" form displays an email autocomplete
field which can expose the email addresses of other accounts in the system.

This vulnerability is mitigated by the fact that to have access to the form,
the site must have the Apigee Edge Teams submodule enabled, and the user must
have a team role that has the "Manage team members" permission. (Note that
team roles and permissions are not related to Drupal core roles and
permissions).

Solution: 
Install the latest version:

* If you use the apigee_edge_teams submodule for Drupal 8.x, upgrade to
Apigee Edge module 8.x-1.12 [3]

Also see the Apigee Edge [4] project page.

Reported By: 
* Arlina Espinoza Rhoton [5]

Fixed By: 
* Arlina Espinoza Rhoton [6]
* Chris Novak [7]

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/apigee_edge
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/apigee_edge/releases/8.x-1.12
[4] https://www.drupal.org/project/apigee_edge
[5] https://www.drupal.org/user/1055344
[6] https://www.drupal.org/user/1055344
[7] https://www.drupal.org/user/880416
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028, security-news, 22.07.2020

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang