it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036
- Date: Wed, 23 Aug 2023 18:21:54 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org EFBA941E38
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 495DB41D78
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4FFC5401F3
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4C5F1401D6
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-036
Project: Flexi Access [1]
Date: 2023-August-23
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution
Description:
The Flexi Access module will provide a simple and flexible interface to the
ACL (Access Control List) module. It will let you set up and mange ACLs
naming individual users that are allowed access to a particular node.
The module processes user input in a way that could be unsafe. This can lead
to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that known exploit paths require
an attacker to have a combination of permissions provided by the module; for
example "access flexiaccess" and "flexiaccess view". See
_flexiaccess_node_access() for details. The "administer flexiaccess"
permission alone does not grant access to the vulnerable functionality.
This Security Advisory is being released in coordination with
SA-CONTRIB-2023-034 [3] for the ACL module, on which Flexi Access depends.
Solution:
Install the latest version:
* If you use the Flexi Access module for Drupal 7.x, upgrade to Flexi Access
7.x-1.3 [4].
The ACL module (a dependency) must also be updated.
Reported By:
* Drew Webber [5] of the Drupal Security Team
Fixed By:
* Drew Webber [6] of the Drupal Security Team
* Gisle Hannemyr [7]
Coordinated By:
* Drew Webber [8] of the Drupal Security Team
* Cathy Theys [9] of the Drupal Security Team
* Damien McKenna [10] of the Drupal Security Team
[1] https://www.drupal.org/project/flexiaccess
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-contrib-2023-034
[4] https://www.drupal.org/project/flexiaccess/releases/7.x-1.3
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/255969
[7] https://www.drupal.org/user/409554
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/258568
[10] https://www.drupal.org/user/108450
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036, security-news, 23.08.2023
Archiv bereitgestellt durch MHonArc 2.6.24.