[IT-SecNots] [Security-news] Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-054

Project: Next.js [1]
Version: 1.2.01.1.01.0.0
Date: 2022-September-07
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
The Next.js module provides an inline preview for content. Authenticated
requests are made to Drupal to fetch JSON:API content and render them in an
iframe from the decoupled Next.js site.

The current implementation doesn’t sufficiently check access for fetching
data. All requests made to Drupal are authenticated using a single scope with
elevated content access. Users without access to content could be exposed to
unauthorized content.

Solution: 
If you use the Next.js module for Drupal 9.x:

  1) Upgrade to version v1.3.0 [3].
  2) Edit the Next.js user and assign all roles that can be used as scopes.
     The granted roles will be filtered based on roles assigned to the 
current
     user.

See the upgrade guide at https://next-drupal.org/docs/upgrade-guide [4].

Reported By: 
  * Lauri Eskola [5]

Fixed By: 
  * Lauri Eskola [6]
  * shadcn  [7]
  * Minnur Yunusov [8]

Coordinated By: 
  * Damien McKenna [9] of the Drupal Security Team


[1] https://www.drupal.org/project/next
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/next/releases/1.3.0
[4] https://next-drupal.org/docs/upgrade-guide
[5] https://www.drupal.org/user/1078742
[6] https://www.drupal.org/user/1078742
[7] https://www.drupal.org/user/571032
[8] https://www.drupal.org/user/702026
[9] https://www.drupal.org/user/108450

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news