[Security-news] Universally Unique IDentifier - Moderately critical - Arbitrary file upload - SA-CONTRIB-2018-045

security-news at drupal.org security-news at drupal.org
Wed Jul 4 17:20:00 UTC 2018


View online: https://www.drupal.org/sa-contrib-2018-045

Project: Universally Unique IDentifier [1]
Date: 2018-July-04
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Arbitrary file upload

Description: 
This module provides an API for adding universally unique identifiers (UUID)
to Drupal objects, most notably entities.

The module module has an arbitrary file upload vulnerability when it's used
in combination with the services REST server.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to allow to upload to the file create REST endpoint.

Solution: 
   * If you use the uuid module for Drupal 7.x, upgrade to uuid  7.x-1.1 [3]
Also see the Universally Unique IDentifier [4] project page

Reported By: 
   * Gustavo Iñiguez Goia  [5]

Fixed By: 
   * Manuel Garcia  [6]

Coordinated By: 
   * Michael Hess [7] Of the Drupal Security Team


[1] https://www.drupal.org/project/uuid
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/uuid/releases/7.x-1.1
[4] https://www.drupal.org/project/uuid
[5] https://www.drupal.org/user/3419891
[6] https://www.drupal.org/user/213194
[7] https://www.drupal.org/u/mlhess



More information about the Security-news mailing list