[Security-news] Universally Unique IDentifier - Moderately critical - Access bypass - SA-CONTRIB-2019-052
security-news at drupal.org
security-news at drupal.org
Wed May 29 17:50:38 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-052
Project: Universally Unique IDentifier [1]
Date: 2019-May-29
Security risk: *Moderately critical* 14∕25
AC:Complex/A:User/CI:All/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module provides an API for adding universally unique identifiers (UUID)
to Drupal objects, most notably entities.
The module has a privilege escalation vulnerability when it's used in
combination with Services+REST server.
This vulnerability is mitigated by the fact that an attacker must
authenticate to the site, services module must be configured on the site and
the user update resource enabled.
Solution:
Install the latest version:
* If you use the Universally Unique IDentifier module for Drupal 7.x,
upgrade to UUID 7.x-1.3 [3]
Also see the Universally Unique IDentifier [4] project page.
Reported By:
* Gustavo Iñiguez Goia [5]
Fixed By:
* Manuel Garcia [6]
* Samuel Mortenson [7] of the Drupal Security Team
Coordinated By:
* Samuel Mortenson [8] of the Drupal Security Team
[1] https://www.drupal.org/project/uuid
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/uuid/releases/7.x-1.3
[4] https://www.drupal.org/project/uuid
[5] https://www.drupal.org/user/3419891
[6] https://www.drupal.org/user/213194
[7] https://www.drupal.org/user/2582268
[8] https://www.drupal.org/user/2582268
More information about the Security-news
mailing list