[IT-SecNots] [Security-news] Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-032

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-032

Project: Group [1]
Version: 8.x-1.x-dev
Date: 2020-August-05
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information disclosure

Description: 
The Group module enables you to hand out permissions on a smaller subset,
section or community of your website.

With the 1.1 security release, new code was introduced to ensure proper
access for all entity types, but a mistake introduced unexpected access to
unpublished nodes.

Solution: 
Install the latest version:

  * If you are using 8.x-1.0 [3] or later, you should upgrade to 8.x-1.2 [4].
  * If you are using 8.x-1.0-rc5 [5], that version is not affected by this
    issue. You can also consider upgrading to 8.x-1.2 [6].

Reported By: 
  * Sean Blommaert [7]
  * Martijn Vermeulen [8]

Fixed By: 
  * Kristiaan Van den Eynde [9]


[1] https://www.drupal.org/project/group
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/group/releases/8.x-1.0
[4] https://www.drupal.org/project/group/releases/8.x-1.2
[5] https://www.drupal.org/project/group/releases/8.x-1.0-rc5
[6] https://www.drupal.org/project/group/releases/8.x-1.2
[7] https://www.drupal.org/user/545912
[8] https://www.drupal.org/user/960720
[9] https://www.drupal.org/user/1345130

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news