View online: https://www.drupal.org/sa-contrib-2024-056

Project: OhDear Integration [1] Date: 2024-October-30 Security risk: *Moderately critical* 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass

Affected versions: <2.0.4 Description:  Integrates your Drupal website with the Oh Dear monitoring app.

Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module.

This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthcheck endpoint. It is not enabled by default and there's no UI option to do it. It has to be done directly in the ohdear_integration.settings.yml.

Solution:  Install the latest version:

* If you use the OhDear Integration module, upgrade to 2.0.4 version. [3]

Reported By:  * casey [4]

Fixed By:  * casey [5] * Lio Novelli [6]

Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team

[1] https://www.drupal.org/project/ohdear_integration [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ohdear_integration/releases/2.0.4 [4] https://www.drupal.org/user/32403 [5] https://www.drupal.org/user/32403 [6] https://www.drupal.org/user/3542704 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/272316