View online: https://www.drupal.org/sa-contrib-2023-054
Project: Group [1] Date: 2023-December-06 Security risk: *Less critical* 8∕25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
Affected versions: >=2.0.0 <2.2.2 || >=3.0.0 <3.2.2 Description: The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to.
The module doesn't sufficiently enforce list access under the scenario where two users have the same outsider and insider permissions, but are members of different groups without any individual roles being assigned to said memberships. In such a scenario, the permissions hash for both will be the same even though it should differ.
This vulnerability is mitigated by the fact that an attacker must have the same hash as someone else, which is quite rare yet not unthinkable.
Solution: Install the latest version:
* Sites using Group version 2 should upgrade to Group v2.2.2 [3] * Sites using Group version 3 should upgrade to Group v3.2.2 [4]
Reported By: * Dylan Donkersgoed [5]
Fixed By: * Dylan Donkersgoed [6] * Péter Keszthelyi [7] * Austin Mitchell [8] * Ian Bullock [9]
Coordinated By: * Damien McKenna [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team
[1] https://www.drupal.org/project/group [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/group/releases/2.2.2 [4] https://www.drupal.org/project/group/releases/3.2.2 [5] https://www.drupal.org/user/2803351 [6] https://www.drupal.org/user/2803351 [7] https://www.drupal.org/user/1939064 [8] https://www.drupal.org/user/3534491 [9] https://www.drupal.org/user/1291942 [10] https://www.drupal.org/user/108450 [11] https://www.drupal.org/user/36762
-
security-news@drupal.org