Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Registration role - Critical - Access bypass - SA-CONTRIB-2024-015


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Registration role - Critical - Access bypass - SA-CONTRIB-2024-015
  • Date: Wed, 6 Mar 2024 17:26:16 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org EBB47418D0
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8ADF381F2B
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-015

Project: Registration role [1]
Date: 2024-March-06
Security risk: *Critical* 18∕25
AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <2.0.1
Description: 
The Registration role module lets an administrator select a role (or multiple
roles) to automatically assign to new users. The selected role (or roles)
will be assigned to new registrants.

The module has a logic error when handling sites that upgraded code and did
not run the Drupal update process (e.g. update.php).

This vulnerability is mitigated by the fact that the problem does not exist
on sites that followed the process of updating code and running the standard
updates.

Solution: 
Install the latest version:

* If you use the Registration role module version 2.x, upgrade to
Registration role 2.0.1 [3]

Review user accounts registered between 2023 July 11 and now for having
additional roles you did not intend for them to have. If your site missed or
reverted an update to configuration in the version 2.0.0 release of
Registration Role (or development branch from 2020 August 17 on),
non-selected roles were not removed from configuration. Without this update,
up until you re-saved the settings form or until you install the new release
- whichever came first - users who registered receive /all/ roles.

Also, upgrade to the latest version /and run update hooks/ at update.php or
with Drush, drush updb

OR: Immediately re-save the the configuration page at
/admin/people/registration-role

Reported By: 
* Pamela Barone [4]
* Renaud Joubert [5]

Fixed By: 
* Juraj Nemec [6] of the Drupal Security Team
* Benjamin Melançon [7]

Coordinated By: 
* Juraj Nemec [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
* Drew Webber [10] of the Drupal Security Team


[1] https://www.drupal.org/project/registration_role
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/registration_role/releases/2.0.1
[4] https://www.drupal.org/user/1431110
[5] https://www.drupal.org/user/549974
[6] https://www.drupal.org/user/272316
[7] https://www.drupal.org/user/64383
[8] https://www.drupal.org/user/272316
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Registration role - Critical - Access bypass - SA-CONTRIB-2024-015, security-news, 06.03.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang