[IT-SecNots] [Security-news] Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-031

Project: Role Delegation [1]
Date: 2022-March-23
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Privilege escalation

Description: 
This module allows site administrators to grant specific roles the authority
to assign selected roles to users, without them needing the administer
permissions permission.

The module contains an access bypass vulnerability when used in combination
with the Views Bulk Operations module. An authenticated user is able to
assign the administrator role to his own user.

This vulnerability is mitigated by the fact that an attacker must have access
to an overview of users with the views bulk operations module enabled. E.g.
The admin_views module provides such a view.

Solution: 
Install the latest version:

  * If you use the Role Delegation module for Drupal 7.x, upgrade to Role
    Delegation 7.x-1.3 [3]

Reported By: 
  * Michael Forbes [4]
  * Jeroen Tubex [5]
  * Stein Setvik [6]

Fixed By: 
  * Michael Forbes [7]
  * Jeroen Tubex [8]
  * Stein Setvik [9]

Coordinated By: 
  * Greg Knaddison [10] of the Drupal Security Team


[1] https://www.drupal.org/project/role_delegation
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/role_delegation/releases/7.x-1.3
[4] https://www.drupal.org/user/1810100
[5] https://www.drupal.org/user/2228934
[6] https://www.drupal.org/user/77805
[7] https://www.drupal.org/user/1810100
[8] https://www.drupal.org/user/2228934
[9] https://www.drupal.org/user/77805
[10] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news