it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
- Date: Wed, 20 Jul 2022 17:18:44 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 72BD2415F0
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org D52B1415DF
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2F333824CE
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7089B8249E
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2022-013
Project: Drupal core [1]
Date: 2022-July-20
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access Bypass
Description:
Under certain circumstances, the Drupal core form API evaluates form element
access incorrectly. This may lead to a user being able to alter data they
should not have access to.
No forms provided by Drupal core are known to be vulnerable. However, forms
added through contributed or custom modules or themes may be affected.
This advisory is not covered by Drupal Steward [3].
Solution:
Install the latest version:
* If you are using Drupal 9.4, update to Drupal 9.4.3 [4].
* If you are using Drupal 9.3, update to Drupal 9.3.19 [5].
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive
security coverage. Note that Drupal 8 has reached its end of life [6].
Drupal 7 core is not affected.
Reported By:
* Pierre Rudloff [7]
Fixed By:
* Pierre Rudloff [8]
* Tim Plunkett [9]
* Heine [10] of the Drupal Security Team
* Alex Bronstein [11] of the Drupal Security Team
* xjm [12] of the Drupal Security Team
* Lauri Eskola [13], provisional member of the Drupal Security Team
* Dave Long [14], provisional member of the Drupal Security Team
* Lee Rowlands [15] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/9.4.3
[5] https://www.drupal.org/project/drupal/releases/9.3.19
[6] https://www.drupal.org/psa-2021-06-29
[7] https://www.drupal.org/user/3611858
[8] https://www.drupal.org/user/3611858
[9] https://www.drupal.org/user/241634
[10] https://www.drupal.org/user/17943
[11] https://www.drupal.org/user/78040
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/1078742
[14] https://www.drupal.org/user/246492
[15] https://www.drupal.org/user/395439
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013, security-news, 20.07.2022
Archiv bereitgestellt durch MHonArc 2.6.24.