View online: https://www.drupal.org/sa-contrib-2023-051
Project: GraphQL [1]
Date: 2023-November-08
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Request Forgery
Affected versions: <3.4.0 || >=4.0.0 <4.6.0
Description:
The GraphQL module enables you to build GraphQL APIs which can include data
fetching through Queries and data updates (create, update, delete) through
mutations.
The module does not sufficiently validate incoming requests that are made
from domains other than the one serving the GraphQL endpoint. In case a user
visits a malicious site, that site may make requests on the users behalf
which can lead to the execution of mutations, exposing a CSRF vulnerability.
Whether data is returned to the malicious site depends on your sites CORS
configuration.
This vulnerability is mitigated by the fact that a user with access to the
API must have an active session cookie while visiting a malicious site. This
vulnerability is also mitigated by restricting session cookies with the
SameSite attribute (see solution below).
Solution:
Install the latest version:
* If you use the GraphQL module v4 upgrade to GraphQL 8.x-4.6 [3]
* If you use the GraphQL module v3 upgrade to GraphQL 8.x-3.4 [4]
This vulnerability can also be mitigated by setting the SameSite attribute on
session cookies to Lax (recommended) or Strict. This might not be suitable
for sites that need to share the Drupal session cookie in some way with other
sites. Set the following in your site's services.yml file:
parameters:
session.storage.options:
# Session cookies are only used for backend admin accounts, so we
restrict
# the cookies to be used only from the backend origin. We don't use
"Strict"
# because that also removes cookies whenever an admin navigates from an
# email or chat app, which is inconvenient. See
#
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesi…
cookie_samesite: Lax
Reported By:
* Sam Becker [5]
Fixed By:
* Sam Becker [6]
* Klaus Purer [7]
* Alexander Varwijk [8]
* Luis [9]
* Lee Rowlands [10] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [11] of the Drupal Security Team
* Damien McKenna [12] of the Drupal Security Team
[1] https://www.drupal.org/project/graphql
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/graphql/releases/8.x-4.6
[4] https://www.drupal.org/project/graphql/releases/8.x-3.4
[5] https://www.drupal.org/user/1485048
[6] https://www.drupal.org/user/1485048
[7] https://www.drupal.org/user/262198
[8] https://www.drupal.org/user/1868952
[9] https://www.drupal.org/user/1022312
[10] https://www.drupal.org/user/395439
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/user/108450
View online: https://www.drupal.org/psa-2023-11-01
Date: 2023-November-01
Description:
-------- DRUPAL 9 IS END OF LIFE AS OF NOVEMBER 1ST, 2023
--------------------
Drupal 9 relies on several other software projects, including Symfony,
CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life,
and Twig 2's end of life all coming up soon, Drupal 9 went end of life on
November 1st, 2023. There will be no further releases of Drupal 9.
Two changes for Drupal contributed projects will occur before the end of
January 2024. One is that the automated testing platform DrupalCI support for
Drupal 9 will stop. The other is that release branches of contributed
projects that only support Drupal 9 will be marked unsupported (see the
tracking issue for details [1]).
Thanks to everyone who helped create and maintain Drupal 9.
-------- IT IS TIME TO UPDATE TO DRUPAL 10 COMPATIBLE RELEASES
--------------
Check the documentation on updating a site to Drupal 10 [2].
If a contributed project is not yet compatible with Drupal 10, now is a good
time to update it. Check for existing Drupal 10 compatibility issues relevant
for your projects.
If your project is already compatible with Drupal 10 but does not yet have a
stable release, please tag a release, once you are confident in your
project's stability. Where possible, tag a minor release supporting both
Drupal 9 and 10 to ensure users have a smooth upgrade path.
[1] https://www.drupal.org/project/drupalorg/issues/3398253
[2]
https://www.drupal.org/docs/upgrading-drupal/upgrading-from-drupal-8-or-lat…