View online: https://www.drupal.org/sa-contrib-2021-034

Project: Search API attachments [1] Date: 2021-September-22 Security risk: *Critical* 15∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Arbitrary PHP code execution

Description:  This module enables you to extract the textual content of files for use on a website, e.g. to display it or or use it in search indexes.

The module doesn't sufficiently protect the administrator-defined commands which are executed on the server, which leads to post-authentication remote code execution by a limited set of users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search_api". Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.

Solution:  Install the latest version:

* If you use the search_api_attachments module for Drupal 7.x, upgrade to search_api_attachments 7.x-1.19 [3]

The 8.x branch does not have Security Coverage.

Reported By:  * Florent Torregrosa [4]

Fixed By:  * Damien McKenna [5] of the Drupal Security Team * Ismaeil Abouljamal [6]

Coordinated By:  * Damien McKenna [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team

[1] https://www.drupal.org/project/search_api_attachments [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/search_api_attachments/releases/7.x-1.19 [4] https://www.drupal.org/user/2388214 [5] https://www.drupal.org/user/108450 [6] https://www.drupal.org/user/514568 [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles