Hírolvasó

Subgroup - Less critical - Access bypass - SA-CONTRIB-2021-003

Biztonsági figyelmeztetések (contrib) - 2021. január 27. 18.53
Project: SubgroupVersion: 1.0.x-devDate: 2021-January-27Security risk: Less critical 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: 

This module enables you to add groups to other groups in a tree structure where access can be inherited up or down the tree.

When you configure Subgroup to have a tree with at least three levels, users may inadvertently get permissions in a group that is an uncle or cousin of the source group, rather than a direct ancestor or descendant. Trees with only multiple nodes at the lowest tier (or nowhere) are unaffected.

Solution: 

Install the latest version, Subgroup 1.0.1, and clear your caches.

Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002

Biztonsági figyelmeztetések (contrib) - 2021. január 27. 18.27
Project: Open SocialVersion: 8.x-9.x-dev8.x-8.x-devDate: 2021-January-27Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file.

The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a selected user in certain scenarios.

This vulnerability is mitigated by the fact that an attacker must have the authenticated user role and the site must have the configuration set in such a way a logged in user is able to export users.

Solution: 

Install the latest version:

  • If you use Open Social major version 8, upgrade to 8.x-8.10
  • If you use Open Social major version 9, upgrade to 8.x-9.8
Reported By: Fixed By: Coordinated By: 

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-001

Biztonsági figyelmeztetések (contrib) - 2021. január 27. 18.17
Project: Open SocialVersion: 8.x-9.x-dev8.x-8.x-devDate: 2021-January-27Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: 

The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter.

The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information in certain scenarios. The information is usually only available for logged-in users of the community.

This vulnerability is mitigated by the fact that social_auth_extra needs to be enabled, one of the single sign-on methods needs to be configured. There is no impact for regular registration without single sign-on.

Removing the single sign-on providers from configuration will allow this vulnerability to be blocked.

Solution: 

Install the latest version:

  • If you use Open Social major version 8, upgrade to 8.x-8.10
  • If you use Open Social major version 9, upgrade to 8.x-9.8
Reported By: Fixed By: Coordinated By: 

Drupal core - Critical - Third-party libraries - SA-CORE-2021-001

Biztonsági figyelmeztetések (core) - 2021. január 20. 18.10
Project: Drupal coreDate: 2021-January-20Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Third-party librariesDescription: 

The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see:

Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability.

Reported By: Fixed By: 

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

Biztonsági figyelmeztetések (core) - 2020. november 26. 00.57
Project: Drupal coreDate: 2020-November-25Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Arbitrary PHP code executionCVE IDs: CVE-2020-28949CVE-2020-28948Description: 

The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2 or .tlz files.

This is a different issue than SA-CORE-2019-12, similar configuration changes may mitigate the problem until you are able to patch.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable.

Reported By: Fixed By: 

SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038

Biztonsági figyelmeztetések (contrib) - 2020. november 18. 18.27
Project: SAML SP 2.0 Single Sign On (SSO) - SAML Service ProviderDate: 2020-November-18Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: 

This module enables your users residing at a SAML 2.0 compliant Identity Provider to login to your Drupal website.

The module has two Authentication Bypass vulnerabilities.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037

Biztonsági figyelmeztetések (contrib) - 2020. november 18. 18.22
Project: Ink FilepickerDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: UnsupportedDescription: 

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.

It looks like the 3rd party service that this module integrates with may have been retired.

If you would like to maintain this project nevertheless, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Biztonsági figyelmeztetések (contrib) - 2020. november 18. 18.19
Project: Media: oEmbedDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Biztonsági figyelmeztetések (core) - 2020. november 18. 18.18
Project: Drupal coreDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote code executionCVE IDs: CVE-2020-13671Description: 

Update November 18: Documented longer list of dangerous file extensions

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like filename.php.txt or filename.html.gif, without an underscore (_) in the extension. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm
  • phtml

This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis.

Reported By: Fixed By: 

Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035

Biztonsági figyelmeztetések (contrib) - 2020. november 18. 18.15
Project: Examples for DevelopersDate: 2020-November-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

The File Example submodule within the Examples project does not properly sanitize certain filenames as described in SA-CORE-2020-012, along with other related vulnerabilities.

Therefore, File Example so is being removed from Examples until a version demonstrating file security best practices can added back in the future.

Solution: 

Any sites that have File Example submodule installed should uninstall it immediately

Then, install the latest version of Examples:

Reported By: Fixed By: Coordinated By: