View online: https://www.drupal.org/sa-contrib-2023-005

Project: Apigee Edge [1] Date: 2023-February-01 Security risk: *Moderately critical* 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass

Description:  The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal.

Previous module versions did not support entity query level access checking which could have lead to information disclosure or access bypass in various places.

Solution:  Install the latest version:

* If you use the Apigee Edge module version 2.0.x for Drupal 9.x, upgrade to Apigee Edge 2.0.8 [3] * If you use the Apigee Edge module version 8.x-1.x for Drupal 9.x, upgrade to Apigee Edge 8.x-1.27 [4]

Reported By:  * Dezső Biczó [5]

Fixed By:  * Dezső Biczó [6] * Shishir Suvarna [7]

Coordinated By:  * Greg Knaddison [8] of the Drupal Security Team

[1] https://www.drupal.org/project/apigee_edge [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/apigee_edge/releases/2.0.8 [4] https://www.drupal.org/project/apigee_edge/releases/8.x-1.27 [5] https://www.drupal.org/user/315522 [6] https://www.drupal.org/user/315522 [7] https://www.drupal.org/user/3119751 [8] https://www.drupal.org/user/36762