View online: https://www.drupal.org/sa-contrib-2020-032

Project: Group [1] Version: 8.x-1.x-dev Date: 2020-August-05 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information disclosure

Description:  The Group module enables you to hand out permissions on a smaller subset, section or community of your website.

With the 1.1 security release, new code was introduced to ensure proper access for all entity types, but a mistake introduced unexpected access to unpublished nodes.

Solution:  Install the latest version:

* If you are using 8.x-1.0 [3] or later, you should upgrade to 8.x-1.2 [4]. * If you are using 8.x-1.0-rc5 [5], that version is not affected by this issue. You can also consider upgrading to 8.x-1.2 [6].

Reported By:  * Sean Blommaert [7] * Martijn Vermeulen [8]

Fixed By:  * Kristiaan Van den Eynde [9]

[1] https://www.drupal.org/project/group [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/group/releases/8.x-1.0 [4] https://www.drupal.org/project/group/releases/8.x-1.2 [5] https://www.drupal.org/project/group/releases/8.x-1.0-rc5 [6] https://www.drupal.org/project/group/releases/8.x-1.2 [7] https://www.drupal.org/user/545912 [8] https://www.drupal.org/user/960720 [9] https://www.drupal.org/user/1345130