View online: https://www.drupal.org/sa-contrib-2017-083
Project: Custom Permissions [1] Version: 8.x-1.x-dev Date: 2017-November-08 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Description: Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form.
When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability.
Solution: Install the latest version:
* If you use the Custom Permissions module for Drupal 8, upgrade to Custom Permissions 8.x-1.1 [3]
Reported By: * Michael Koza [4] * David Rothstein [5] of the Drupal Security Team
Fixed By: * David Valdez [6] the module maintainer * David Rothstein [7] of the Drupal Security Team
Coordinated By: * David Rothstein [8] of the Drupal Security Team
[1] https://www.drupal.org/project/config_perms [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/config_perms/releases/8.x-1.1 [4] https://www.drupal.org/user/2110062 [5] https://www.drupal.org/user/124982 [6] http://drupal.org/u/gnuget [7] https://www.drupal.org/user/124982 [8] https://www.drupal.org/user/124982