Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093 - Security-news

11 Dec 2019


      View online: https://www.drupal.org/sa-contrib-2019-093
Project: Taxonomy access fix [1]
Version: 8.x-2.68.x-2.58.x-2.4
Date: 2019-December-11
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description: 
This module extends access handling of Drupal Core's Taxonomy module.
The module doesn't sufficiently check,
* if a given entity should be access controlled, defaulting to allowing
     access even to unpublished Taxonomy Terms.
   * if certain administrative routes should be access controlled, defaulting
     to allowing access even to users without permission to access these
     administrative routes.
The vulnerability is mitigated by the facts, that
* the user interface to change the status of Taxonomy Terms has been
     released in Drupal Core 8.8 and a custom or contributed module is 
required
     in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
   * all entity operations (except the view operation) available on affected
     administrative routes still require appropriate permissions.
   * an attacker must have a role with permission to either access content or
     view a Taxonomy Term in a vocabulary.
Solution: 
Install the latest version:
* If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy
     Access Fix 8.x-2.7 [3]
Also see the Taxonomy Access Fix project page [4].
Reported By: 
   * guedressel [5]
Fixed By: 
   * Julian Pustkuchen [6]
   * Patrick Fey [7]
   * Oleh Vehera [8]
   * guedressel [9]
Coordinated By: 
   * Greg Knaddison [10] of the Drupal Security Team
   * Damien McKenna [11] of the Drupal Security Team
[1] https://www.drupal.org/project/taxonomy_access_fix
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/taxonomy_access_fix/releases/8.x-2.7
[4] https://www.drupal.org/project/taxonomy_access_fix
[5] https://www.drupal.org/user/266710
[6] https://www.drupal.org/user/291091
[7] https://www.drupal.org/user/998680
[8] https://www.drupal.org/user/3260314
[9] https://www.drupal.org/user/266710
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/damienmckenna