[Security-news] Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

security-news at drupal.org security-news at drupal.org
Wed Jul 22 19:21:21 UTC 2020


View online: https://www.drupal.org/sa-contrib-2020-028

Project: Apigee Edge [1]
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
The Apigee Edge module allows connecting a Drupal site to Apigee Edge in
order to build a developer portal. It contains an "Apigee Edge Teams"
submodule that provides shared app functionality by allowing developers to be
organized into teams.

The "Apigee Edge Teams" submodule has an information disclosure
vulnerability. The "Add team member" form displays an email autocomplete
field which can expose the email addresses of other accounts in the system.

This vulnerability is mitigated by the fact that to have access to the form,
the site must have the Apigee Edge Teams submodule enabled, and the user must
have a team role that has the "Manage team members" permission. (Note that
team roles and permissions are not related to Drupal core roles and
permissions).

Solution: 
Install the latest version:

   * If you use the apigee_edge_teams submodule for Drupal 8.x, upgrade to
     Apigee Edge module 8.x-1.12 [3]

Also see the Apigee Edge [4] project page.

Reported By: 
   * Arlina Espinoza Rhoton  [5]

Fixed By: 
   * Arlina Espinoza Rhoton  [6]
   * Chris Novak  [7]

Coordinated By: 
   * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/apigee_edge
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/apigee_edge/releases/8.x-1.12
[4] https://www.drupal.org/project/apigee_edge
[5] https://www.drupal.org/user/1055344
[6] https://www.drupal.org/user/1055344
[7] https://www.drupal.org/user/880416
[8] https://www.drupal.org/user/36762



More information about the Security-news mailing list