View online: https://www.drupal.org/sa-core-2019-011
Project: Drupal core [1] Version: 8.8.x-dev8.7.x-dev Date: 2019-December-18 Security risk: *Moderately critical* 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Description: The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.
Solution: * If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11 [3]. * If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1 [4].
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.
Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)
Reported By: * Adam G-H [5]
Fixed By: * Adam G-H [6] * Jess [7] of the Drupal Security Team * Andrei Mateescu [8] * Greg Knaddison [9] of the Drupal Security Team * Alex Bronstein [10] of the Drupal Security Team * Sean Blommaert [11] * Lee Rowlands [12] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://security.drupal.org/project/drupal/releases/8.7.11 [4] https://security.drupal.org/project/drupal/releases/8.8.1 [5] https://www.drupal.org/user/205645 [6] https://www.drupal.org/user/205645 [7] https://www.drupal.org/user/65776 [8] https://www.drupal.org/user/729614 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/78040 [11] https://www.drupal.org/user/545912 [12] https://www.drupal.org/user/395439