[Security-news] Exif - Critical - Access bypass - SA-CONTRIB-2018-017
security-news at drupal.org
security-news at drupal.org
Wed Mar 21 17:24:13 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-017
Project: Exif [1]
Version: 8.x-1.x-dev
Date: 2018-March-21
Security risk: *Critical* 16∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
This module enables you to retrieve image metadata and use them in fields or
title.
The module doesn't sufficiently restrict access to module setting pages
thereby causing an access bypass vulnerability.
This vulnerability is mitigated by the fact that an attacker must have
permission to create entities of certain content entity types.
Solution:
Install the latest version:
* If you use the Exif module for Drupal 8.x, upgrade to Exif 8.x-1.1 [3]
Reported By:
* Jean-Francois Hovinne [4]
Fixed By:
* jphautin [5]
* Jean-Francois Hovinne [6]
Coordinated By:
* Damien McKenna [7]
[1] https://www.drupal.org/project/exif
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/exif/releases/8.x-1.1
[4] https://www.drupal.org/user/77723
[5] https://www.drupal.org/user/534338
[6] https://www.drupal.org/user/77723
[7] https://www.drupal.org/user/108450
More information about the Security-news
mailing list