[IT-SecNots] [Security-news] Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-core-2022-009

Project: Drupal core [1]
Date: 2022-April-20
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
Drupal 9.3 implemented a generic entity access API for entity revisions.
However, this API was not completely integrated with existing permissions,
resulting in some possible access bypass for users who have access to use
revisions of content generally, but who do not have access to individual
items of node and media content.

This vulnerability only affects sites using Drupal's revision system.

This advisory is not covered by Drupal Steward [3].

Solution: 
Install the latest version:

  * If you are using Drupal 9.3, update to Drupal 9.3.12 [4].

All releases prior to Drupal 9.3 (including Drupal 7) are not affected.

Reported By: 
  * Kristiaan Van den Eynde [5]

Fixed By: 
  * Kristiaan Van den Eynde [6]
  * Lee Rowlands [7] of the Drupal Security Team
  * Adam Bramley [8]
  * xjm [9] of the Drupal Security Team
  * Dave Long [10]
  * Nathaniel Catchpole [11] of the Drupal Security Team
  * Jibran Ijaz [12]
  * Benji Fisher [13]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/9.3.12
[5] https://www.drupal.org/user/1345130
[6] https://www.drupal.org/user/1345130
[7] https://www.drupal.org/user/395439
[8] https://www.drupal.org/user/1036766
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/246492
[11] https://www.drupal.org/user/35733
[12] https://www.drupal.org/user/1198144
[13] https://www.drupal.org/user/683300

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news