[IT-SecNots] [Security-news] Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2022-045

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-045

Project: Apigee Edge [1]
Date: 2022-May-25
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in
order to build a developer portal. The developers (user) can view API keys
for their respective Apps.

The module discloses information by allowing attackers to view cached
information of API Keys from the browser cache for a limited time frame after
the user login on the same computer.

Solution: 
Install the latest version:

  * If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade 
to
    Apigee Edge 2.0.3 [3]
  * If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade
    to Apigee Edge 8.x-1.26 [4]

Reported By: 
  * Dezső BICZÓ [5]

Fixed By: 
  * Dezső BICZÓ [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/apigee_edge
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/apigee_edge/releases/2.0.3
[4] https://www.drupal.org/project/apigee_edge/releases/8.x-1.26
[5] https://www.drupal.org/user/315522
[6] https://www.drupal.org/user/315522
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news