Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Group - Less critical - Access bypass - SA-CONTRIB-2023-054

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Group - Less critical - Access bypass - SA-CONTRIB-2023-054


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Group - Less critical - Access bypass - SA-CONTRIB-2023-054
  • Date: Wed, 6 Dec 2023 18:22:33 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 058E6423E0
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 79DB242207
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 5447441E31
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 90FAD4190B
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-054

Project: Group [1]
Date: 2023-December-06
Security risk: *Less critical* 8∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: >=2.0.0 <2.2.2 || >=3.0.0 <3.2.2
Description: 
The Group module has the ability to make content private to specific groups.
When viewing a list of entities, e.g. nodes, a visitor should only see those
entities that are either not attached to a group or that they have group
access to.

The module doesn't sufficiently enforce list access under the scenario where
two users have the same outsider and insider permissions, but are members of
different groups without any individual roles being assigned to said
memberships. In such a scenario, the permissions hash for both will be the
same even though it should differ.

This vulnerability is mitigated by the fact that an attacker must have the
same hash as someone else, which is quite rare yet not unthinkable.

Solution: 
Install the latest version:

* Sites using Group version 2 should upgrade to Group v2.2.2 [3]
* Sites using Group version 3 should upgrade to Group v3.2.2 [4]

Reported By: 
* Dylan Donkersgoed [5]

Fixed By: 
* Dylan Donkersgoed [6]
* Péter Keszthelyi [7]
* Austin Mitchell [8]
* Ian Bullock [9]

Coordinated By: 
* Damien McKenna [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team


[1] https://www.drupal.org/project/group
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/group/releases/2.2.2
[4] https://www.drupal.org/project/group/releases/3.2.2
[5] https://www.drupal.org/user/2803351
[6] https://www.drupal.org/user/2803351
[7] https://www.drupal.org/user/1939064
[8] https://www.drupal.org/user/3534491
[9] https://www.drupal.org/user/1291942
[10] https://www.drupal.org/user/108450
[11] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Group - Less critical - Access bypass - SA-CONTRIB-2023-054, security-news, 06.12.2023

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang