[IT-SecNots] [Security-news] Advanced Varnish - Moderately critical - Access bypass - SA-CONTRIB-2024-033

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-033

Project: Advanced Varnish [1]
Date: 2024-August-28
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <4.0.11
Description: 
This module enables you to cache pages for logged in users at the Varnish
level.

The Varnish bin names may be guessable when no hashing noise configuration is
set on the module configuration page, which would ultimately allow any user
to view cached pages that were intended for other roles when guessing such a
bin name.

Solution: 
*There are two steps.* Install the latest version and update your
configuration:

  1) If you use the Advanced Varnish module for Drupal 4.0.x, upgrade to
     Advanced Varnish 4.0.11 [3]
  2) Go to the module configuration page and set an appropriate value to the
     hashing noise configuration.

Reported By: 
  * Heine Deelstra [4] of the Drupal Security Team

Fixed By: 
  * Heine Deelstra [5] of the Drupal Security Team
  * Alexander Shumenko [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/adv_varnish
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/adv_varnish/releases/4.0.11
[4] https://www.drupal.org/user/17943
[5] https://www.drupal.org/user/17943
[6] https://www.drupal.org/user/2297432
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news