[Security-news] Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093

security-news at drupal.org security-news at drupal.org
Wed Dec 11 20:03:20 UTC 2019


View online: https://www.drupal.org/sa-contrib-2019-093

Project: Taxonomy access fix [1]
Version: 8.x-2.68.x-2.58.x-2.4
Date: 2019-December-11
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module extends access handling of Drupal Core's Taxonomy module.

The module doesn't sufficiently check,

   * if a given entity should be access controlled, defaulting to allowing
     access even to unpublished Taxonomy Terms.
   * if certain administrative routes should be access controlled, defaulting
     to allowing access even to users without permission to access these
     administrative routes.

The vulnerability is mitigated by the facts, that

   * the user interface to change the status of Taxonomy Terms has been
     released in Drupal Core 8.8 and a custom or contributed module is 
required
     in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
   * all entity operations (except the view operation) available on affected
     administrative routes still require appropriate permissions.
   * an attacker must have a role with permission to either access content or
     view a Taxonomy Term in a vocabulary.

Solution: 
Install the latest version:

   * If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy
     Access Fix 8.x-2.7 [3]

Also see the Taxonomy Access Fix project page [4].

Reported By: 
   * guedressel [5]

Fixed By: 
   * Julian Pustkuchen [6]
   * Patrick Fey [7]
   * Oleh Vehera [8]
   * guedressel [9]

Coordinated By: 
   * Greg Knaddison [10] of the Drupal Security Team
   * Damien McKenna [11] of the Drupal Security Team


[1] https://www.drupal.org/project/taxonomy_access_fix
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/taxonomy_access_fix/releases/8.x-2.7
[4] https://www.drupal.org/project/taxonomy_access_fix
[5] https://www.drupal.org/user/266710
[6] https://www.drupal.org/user/291091
[7] https://www.drupal.org/user/998680
[8] https://www.drupal.org/user/3260314
[9] https://www.drupal.org/user/266710
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/damienmckenna



More information about the Security-news mailing list