Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043
  • Date: Wed, 25 May 2022 17:38:02 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-043

Project: Open Social [1]
Date: 2022-May-25
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
Open Social is a Drupal distribution for online communities.

Group entities created within Open Social did not sufficiently check entity
access in group overviews, allowing users to see information in the overviews
they should not have access to. Visiting the entity directly resulted in
correct access checks applied.

This vulnerability is mitigated by the fact that an attacker must be able to
view Group entities in an overview and have certain common permissions
revoked.

Please note the affected versions were already unsupported, this advisory is
released additionally as there are still reported installs for the affected
versions.

Solution: 
Install the latest versions:

* If you use Open Social versions prior to 11.0.0, upgrade to at least Open
Social 11.0.0 [3] where this issue is resolved

Preferably use one of the supported versions:

* Open Social 11.3.0 [4]
* Open Social 11.2.3 [5]
* Open Social 11.1.7 [6]

Reported By: 
* Dmitry Kiselev [7]

Fixed By: 
A variety of people as part of upgrading to version 11.

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team
* Damien McKenna [9] of the Drupal Security Team
* Alex Bronstein [10] of the Drupal Security Team


[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/11.0.0
[4] https://www.drupal.org/project/social/releases/11.3.0
[5] https://www.drupal.org/project/social/releases/11.2.3
[6] https://www.drupal.org/project/social/releases/11.1.7
[7] https://www.drupal.org/user/1945174
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/108450
[10] https://www.drupal.org/user/78040

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043, security-news, 25.05.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang