Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027
  • Date: Wed, 28 Jun 2023 17:52:19 +0000 (UTC)
  • Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org E6FE941C4F
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0BCEB41AD3
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3B5A7409E6
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 45CD6400CD
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-027

Project: Libraries UI [1]
Version: 8.x-1.0
Date: 2023-June-28
Security risk: *Moderately critical* 11∕25
AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module enables a UI to display all libraries provided by modules and
themes on the Drupal site.

The module doesn't sufficiently protect the libraries reporting page. It
curently is using the 'access content' permission and not a proper
administrative/access permission.

The vulnerability/library information can be exploited by simply
visiting/knowing the url of the reporting page. The solution is to protect
the page via a module specific permission that must be granted by an
administrative user.

Solution: 
Install the latest version of 8.x-1.x or upgrade to 8.x-2.x:

* If you use the Libraries UI module 8.x-1.0, upgrade to Libraries UI
8.x-1.1 [3]
* The vulnerability does not affect the Libraries UI module 8.x-2.x series.

Reported By: 
* Jörg Riemenschneider [4]

Fixed By: 
* Jörg Riemenschneider [5]
* George [6]

Coordinated By: 
* Damien McKenna [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/libraries_ui
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/libraries_ui/releases/8.x-1.1
[4] https://www.drupal.org/user/2809357
[5] https://www.drupal.org/user/2809357
[6] https://www.drupal.org/user/1270728
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027, security-news, 28.06.2023

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang