[IT-SecNots] [Security-news] Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-059

Project: Search API [1]
Date: 2022-October-19
Security risk: *Moderately critical* 13∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Information Disclosure

Description: 
This module enables you to build searches using a wide range of features,
data sources and backends.

The module doesn't in all cases correctly detect whether a given search is
active on the current page, leading to potential information disclosure for
some setups.

This vulnerability is mitigated by the fact that only very specific setups
will have this problem and there is no way for an attacker to trigger it.

Solution: 
Install the latest version:

  * If you use the Search API module for Drupal 9.x/10.x, upgrade to Search
    API 8.x-1.27 [3]

Reported By: 
  * Markus Kalkbrenner [4]

Fixed By: 
  * Gerhard Killesreiter [5] of the Drupal Security Team
  * Joris Vercammen [6]
  * Markus Kalkbrenner [7]
  * Thomas Seidl [8]
  * Damien McKenna [9] of the Drupal Security Team

Coordinated By: 
  * Michael Hess [10] of the Drupal Security Team


[1] https://www.drupal.org/project/search_api
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_api/releases/8.x-1.27
[4] https://www.drupal.org/user/124705
[5] https://www.drupal.org/user/83
[6] https://www.drupal.org/user/2393360
[7] https://www.drupal.org/user/124705
[8] https://www.drupal.org/user/205582
[9] https://www.drupal.org/user/108450
[10] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news