View online: https://www.drupal.org/sa-contrib-2019-052

Project: Universally Unique IDentifier [1] Date: 2019-May-29 Security risk: *Moderately critical* 14∕25 AC:Complex/A:User/CI:All/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass

Description:  This module provides an API for adding universally unique identifiers (UUID) to Drupal objects, most notably entities.

The module has a privilege escalation vulnerability when it's used in combination with Services+REST server.

This vulnerability is mitigated by the fact that an attacker must authenticate to the site, services module must be configured on the site and the user update resource enabled.

Solution:  Install the latest version:

* If you use the Universally Unique IDentifier module for Drupal 7.x, upgrade to UUID 7.x-1.3 [3]

Also see the Universally Unique IDentifier [4] project page.

Reported By:  * Gustavo Iñiguez Goia [5]

Fixed By:  * Manuel Garcia [6] * Samuel Mortenson [7] of the Drupal Security Team

Coordinated By:  * Samuel Mortenson [8] of the Drupal Security Team

[1] https://www.drupal.org/project/uuid [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/uuid/releases/7.x-1.3 [4] https://www.drupal.org/project/uuid [5] https://www.drupal.org/user/3419891 [6] https://www.drupal.org/user/213194 [7] https://www.drupal.org/user/2582268 [8] https://www.drupal.org/user/2582268