[Security-news] Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029
security-news at drupal.org
security-news at drupal.org
Wed Feb 27 18:12:38 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-029
Project: Rabbit Hole [1]
Version: 7.x-2.x-dev
Date: 2019-February-27
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
The Rabbit Hole module allows administrators to control what should happen
when a regular user tries to view an entity at its own page; for example, it
may deliver a 403 Access Denied or 404 Page Not Found response, or redirect
the user to another path.
The module doesn't respect the Rabbit Hole settings when an entity is being
requested with a certain header. This could lead to certain data being
exposed even if it shouldn't be. The vulnerability is mitigated by the fact
that the user also needs permission to view the content being requested.
Solution:
Install version 7.x-2.25, available at
https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25 [3].
Reported By:
* Fabian Iwand [4]
Fixed By:
* Fabian Iwand [5]
* M Parker [6]
* Olof Bokedal [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/rabbit_hole
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25
[4] https://www.drupal.org/user/1632364
[5] https://www.drupal.org/user/1632364
[6] https://www.drupal.org/user/536298
[7] https://www.drupal.org/user/1198438
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list