[IT-SecNots] [Security-news] OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-056

Project: OhDear Integration [1]
Date: 2024-October-30
Security risk: *Moderately critical* 13 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <2.0.4
Description: 
Integrates your Drupal website with the Oh Dear monitoring app.

Cached data of monitoring results is accessible to non-logged in users when
caching is enabled on the module.

This vulnerability is mitigated by the fact that it only affects sites where
caching is enabled for OhDear report healthcheck endpoint. It is not enabled
by default and there's no UI option to do it. It has to be done directly in
the ohdear_integration.settings.yml.

Solution: 
Install the latest version:

  * If you use the OhDear Integration module, upgrade to 2.0.4 version. [3]

Reported By: 
  * casey [4]

Fixed By: 
  * casey [5]
  * Lio Novelli [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team
  * Juraj Nemec [8] of the Drupal Security Team


[1] https://www.drupal.org/project/ohdear_integration
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ohdear_integration/releases/2.0.4
[4] https://www.drupal.org/user/32403
[5] https://www.drupal.org/user/32403
[6] https://www.drupal.org/user/3542704
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/272316

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news