[IT-SecNots] [Security-news] User hash - Moderately critical - Cache poisoning - SA-CONTRIB-2021-030

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-030

Project: User hash [1]
Date: 2021-September-22
Security risk: *Moderately critical* 12∕25
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Cache poisoning

Description: 
This module enables you to create an individual hash for each user. These
hashes can be used for authentication instead of the user's password, e.g.
for views exporters.

The module doesn't sufficiently invalidate page output when the page_cache
module is used.

This vulnerability is mitigated by the fact that an attacker must have a user
hash that grants access to specific content and the attack must be timed to
the reset of the page cache.

Solution: 
Install the latest version:

  * If you use the user_hash module for Drupal 8 or 9, upgrade to User Hash
    2.0.1 [3]

Reported By: 
  * Jürgen Haas [4]
  * Lee Rowlands [5] of the Drupal Security Team

Fixed By: 
  * Jürgen Haas [6]
  * Lee Rowlands [7] of the Drupal Security Team

Coordinated By: 
  * Damien McKenna [8] of the Drupal Security Team


[1] https://www.drupal.org/project/user_hash
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/user_hash/releases/2.0.1
[4] https://www.drupal.org/user/168924
[5] https://www.drupal.org/user/395439
[6] https://www.drupal.org/user/168924
[7] https://www.drupal.org/user/395439
[8] https://www.drupal.org/u/damienmckenna

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news