Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Read Time:51 Second

Project:

Drupal core

Date:

2022-April-20

Security risk:

Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Description:

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.

This vulnerability only affects sites using Drupal’s revision system.

This advisory is not covered by Drupal Steward.

Solution:

Install the latest version:

If you are using Drupal 9.3, update to Drupal 9.3.12.

All releases prior to Drupal 9.3 (including Drupal 7) are not affected.

Reported By:

Kristiaan Van den Eynde

Fixed By:

Kristiaan Van den Eynde
Lee Rowlands of the Drupal Security Team
Adam Bramley
xjm of the Drupal Security Team
Dave Long
Nathaniel Catchpole of the Drupal Security Team
Jibran Ijaz
Benji Fisher

Clever Social Engineering Attack Using Captchas

US Cyberspace Solarium Commission Outlines Ten New Cyber Policy Priorities

Cybersecurity Skills Gap Leaves Cloud Environments Vulnerable

Going for Gold: HSBC Approves Quantum-Safe Technology for Tokenized Bullions

This Windows PowerShell Phish Has Scary Potential

Infostealers Cause Surge in Ransomware Attacks, Just One in Three Recover Data

FBI Shuts Down Chinese Botnet

Western Agencies Warn Risk from Chinese-Controlled Botnet

8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data Breach

Drupal core – Moderately critical – Access bypass – SA-CORE-2022-009

ZDI-CAN-25373: Microsoft

DSA-5774-1 ruby-saml – security update

USN-6968-2: PostgreSQL vulnerability

USN-7015-2: Python vulnerabilities

USN-7027-1: Emacs vulnerabilities

USN-7024-1: tgt vulnerability