it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046
- Date: Wed, 27 Sep 2023 17:43:34 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5D6E241B4C
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 67C5441B86
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 16083610A2
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 505E360FCB
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-046
Project: Entity cache [1]
Date: 2023-September-27
Security risk: *Critical* 16∕25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Information disclosure
Description:
Entity Cache puts core entities into Drupal's cache API.
A recent release of the module does not sanitize certain inputs
appropriately. This can lead to unintended behavior when wildcard characters
are included in the input.
The impact of this bug should be relatively minor in most configurations, but
in worst-case scenarios it could lead to significant Access Bypass.
Solution:
Install the latest version:
* If you use the Entity cache module for Drupal 7.x, upgrade to Entity cache
7.x-1.7 [3].
Reported By:
* Gary Sargent [4]
Fixed By:
* Damien McKenna [5] of the Drupal Security Team
* Gary Sargent [6]
* Drew Webber [7] of the Drupal Security Team
* Jess [8] of the Drupal Security Team
* Lee Rowlands [9] of the Drupal Security Team
* Juraj Nemec [10] of the Drupal Security Team
* Linus Cash [11]
* Neil Hodgkinson [12]
Coordinated By:
* Damien McKenna [13] of the Drupal Security Team
* Drew Webber [14] of the Drupal Security Team
* Jess [15] of the Drupal Security Team
* Greg Knaddison [16] of the Drupal Security Team
[1] https://www.drupal.org/project/entitycache
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entitycache/releases/7.x-1.7
[4] https://www.drupal.org/user/3783192
[5] https://www.drupal.org/user/108450
[6] https://www.drupal.org/user/3783192
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/272316
[11] https://www.drupal.org/user/3783315
[12] https://www.drupal.org/user/3783314
[13] https://www.drupal.org/user/108450
[14] https://www.drupal.org/user/255969
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/36762
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046, security-news, 27.09.2023
Archiv bereitgestellt durch MHonArc 2.6.24.