[Security-news] Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083
security-news at drupal.org
security-news at drupal.org
Wed Nov 8 18:12:00 UTC 2017
View online: https://www.drupal.org/sa-contrib-2017-083
Project: Custom Permissions [1]
Version: 8.x-1.x-dev
Date: 2017-November-08
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
Custom Permissions is a lightweight module that allows permissions to be
created and managed through an administrative form.
When this module is in use, any user who is able to perform an action which
rebuilds some of Drupal's caches can trigger a scenario in which certain
pages protected by this module's custom permissions temporarily lose those
custom access controls, thereby leading to an access bypass vulnerability.
Solution:
Install the latest version:
* If you use the Custom Permissions module for Drupal 8, upgrade to Custom
Permissions 8.x-1.1 [3]
Reported By:
* Michael Koza [4]
* David Rothstein [5] of the Drupal Security Team
Fixed By:
* David Valdez [6] the module maintainer
* David Rothstein [7] of the Drupal Security Team
Coordinated By:
* David Rothstein [8] of the Drupal Security Team
[1] https://www.drupal.org/project/config_perms
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_perms/releases/8.x-1.1
[4] https://www.drupal.org/user/2110062
[5] https://www.drupal.org/user/124982
[6] http://drupal.org/u/gnuget
[7] https://www.drupal.org/user/124982
[8] https://www.drupal.org/user/124982
More information about the Security-news
mailing list