[Security-news] Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093
security-news at drupal.org
security-news at drupal.org
Wed Dec 11 20:03:20 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-093
Project: Taxonomy access fix [1]
Version: 8.x-2.68.x-2.58.x-2.4
Date: 2019-December-11
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
This module extends access handling of Drupal Core's Taxonomy module.
The module doesn't sufficiently check,
* if a given entity should be access controlled, defaulting to allowing
access even to unpublished Taxonomy Terms.
* if certain administrative routes should be access controlled, defaulting
to allowing access even to users without permission to access these
administrative routes.
The vulnerability is mitigated by the facts, that
* the user interface to change the status of Taxonomy Terms has been
released in Drupal Core 8.8 and a custom or contributed module is
required
in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
* all entity operations (except the view operation) available on affected
administrative routes still require appropriate permissions.
* an attacker must have a role with permission to either access content or
view a Taxonomy Term in a vocabulary.
Solution:
Install the latest version:
* If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy
Access Fix 8.x-2.7 [3]
Also see the Taxonomy Access Fix project page [4].
Reported By:
* guedressel [5]
Fixed By:
* Julian Pustkuchen [6]
* Patrick Fey [7]
* Oleh Vehera [8]
* guedressel [9]
Coordinated By:
* Greg Knaddison [10] of the Drupal Security Team
* Damien McKenna [11] of the Drupal Security Team
[1] https://www.drupal.org/project/taxonomy_access_fix
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/taxonomy_access_fix/releases/8.x-2.7
[4] https://www.drupal.org/project/taxonomy_access_fix
[5] https://www.drupal.org/user/266710
[6] https://www.drupal.org/user/291091
[7] https://www.drupal.org/user/998680
[8] https://www.drupal.org/user/3260314
[9] https://www.drupal.org/user/266710
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/damienmckenna
More information about the Security-news
mailing list