View online: https://www.drupal.org/sa-contrib-2019-029
Project: Rabbit Hole [1] Version: 7.x-2.x-dev Date: 2019-February-27 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Description: The Rabbit Hole module allows administrators to control what should happen when a regular user tries to view an entity at its own page; for example, it may deliver a 403 Access Denied or 404 Page Not Found response, or redirect the user to another path.
The module doesn't respect the Rabbit Hole settings when an entity is being requested with a certain header. This could lead to certain data being exposed even if it shouldn't be. The vulnerability is mitigated by the fact that the user also needs permission to view the content being requested.
Solution: Install version 7.x-2.25, available at https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25 [3].
Reported By: * Fabian Iwand [4]
Fixed By: * Fabian Iwand [5] * M Parker [6] * Olof Bokedal [7]
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/rabbit_hole [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25 [4] https://www.drupal.org/user/1632364 [5] https://www.drupal.org/user/1632364 [6] https://www.drupal.org/user/536298 [7] https://www.drupal.org/user/1198438 [8] https://www.drupal.org/user/36762