Feed aggregator

drupal security adv

More

Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

drupal security adv - Wed, 01/17/2024 - 18:04
Project: Drupal coreDate: 2024-January-17Security risk: Moderately critical 11 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: Denial of ServiceAffected versions: >=8.0 <10.1.8 || >=10.2 <10.2.2CVE IDs: CVE-2024-11941Description: 

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).

Sites that do not use the Comment module are not affected.

Solution: 

Install the latest version:

All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Drupal 7 is not affected.

Reported By: Fixed By: 

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

drupal security adv - Wed, 09/20/2023 - 18:23
Project: Drupal coreDate: 2023-September-20Security risk: Critical 16 ∕ 25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:DefaultVulnerability: Cache poisoningAffected versions: >=8.7.0 <9.5.11 || >=10.0 <10.0.11 || >= 10.1 <10.1.4CVE IDs: CVE-2023-5256Description: 

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Drupal Steward partners have been made aware of this issue. Some platforms may provide mitigations. However, not all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this security release if your site uses JSON:API.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.5 are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 is not affected.

Reported By: Fixed By: 

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

drupal security adv - Wed, 04/19/2023 - 19:06
Project: Drupal coreDate: 2023-April-19Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <7.96.0 || >=9.4.0 <9.4.14 || >=9.5.0 <9.5.8 || >=10.0.0 <10.0.8 || 8.0.* || 8.1.* || 8.2.* || 8.3.* || 8.4.* || 8.5.* || 8.6.* || 8.7.* || 8.8.* || 8.9.* || 9.0.* || 9.1.* || 9.2.* || 9.3.*CVE IDs: CVE-2023-31250Description: 

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

This advisory is covered by Drupal Steward. Because this vulnerability is not mass exploitable, your Steward partner may respond by monitoring-only, rather than enforcing a new WAF rule.

We would normally not apply for a release of this severity. However, in this case we have chosen to apply Drupal Steward security coverage to test our processes.

Drupal 7
  • All Drupal 7 sites on Windows web servers are vulnerable.
  • Drupal 7 sites on Linux web servers are vulnerable with certain file directory structures, or if a vulnerable contributed or custom file access module is installed.
Drupal 9 and 10

Drupal 9 and 10 sites are only vulnerable if certain contributed or custom file access modules are installed.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: Fixed By: 

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004

drupal security adv - Wed, 03/15/2023 - 17:26
Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <7.95 || >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.

If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.

This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: Fixed By: 

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

drupal security adv - Wed, 03/15/2023 - 17:24
Project: Drupal coreDate: 2023-March-15Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureAffected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5Description: 

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages.

The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Language module and therefore is not affected. The contributed modules for translation do not have the same code for language-switching links, so they are not affected, either.

Reported By: Fixed By: