[IT-SecNots] [Security-news] Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-core-2020-008

Project: Drupal core [1]
Date: 2020-September-16
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

CVE IDs: CVE-2020-13667
Description: 
The experimental Workspaces module allows you to create multiple workspaces
on your site in which draft content can be edited before being published to
the live workspace.

The Workspaces module doesn't sufficiently check access permissions when
switching workspaces, leading to an access bypass vulnerability. An attacker
might be able to see content before the site owner intends people to see the
content.

This vulnerability is mitigated by the fact that sites are only vulnerable if
they have installed the experimental Workspaces module.

Solution: 
Install the latest version:

  * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 [3].
  * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 [4].
  * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 [5].

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.10.

Once a site running Workspaces is upgraded, authenticated users may continue
to see unauthorized workspace content that they accessed previously until
they are logged out.

If it is important for the unintended access to stop immediately, you may
wish to end all active user sessions on your site (for example, by truncating
the sessions table). Be aware that this will immediately log all users out
and can cause side effects like lost user input.

Reported By: 
  * Andrei Mateescu  [6]

Fixed By: 
  * Andrei Mateescu  [7]
  * Jess   [8] of the Drupal Security Team
  * Nathaniel Catchpole  [9] of the Drupal Security Team
  * Lee Rowlands  [10] of the Drupal Security Team
  * Greg Knaddison  [11] of the Drupal Security Team
  * Dick Olsson  [12]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.10
[4] https://www.drupal.org/project/drupal/releases/8.9.6
[5] https://www.drupal.org/project/drupal/releases/9.0.6
[6] https://www.drupal.org/user/729614
[7] https://www.drupal.org/user/729614
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/35733
[10] https://www.drupal.org/user/395439
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/239911

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news