[Security-news] User hash - Moderately critical - Cache poisoning - SA-CONTRIB-2021-030
security-news at drupal.org
security-news at drupal.org
Wed Sep 22 18:04:40 UTC 2021
View online: https://www.drupal.org/sa-contrib-2021-030
Project: User hash [1]
Date: 2021-September-22
Security risk: *Moderately critical* 12∕25
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Cache poisoning
Description:
This module enables you to create an individual hash for each user. These
hashes can be used for authentication instead of the user's password, e.g.
for views exporters.
The module doesn't sufficiently invalidate page output when the page_cache
module is used.
This vulnerability is mitigated by the fact that an attacker must have a user
hash that grants access to specific content and the attack must be timed to
the reset of the page cache.
Solution:
Install the latest version:
* If you use the user_hash module for Drupal 8 or 9, upgrade to User Hash
2.0.1 [3]
Reported By:
* Jürgen Haas [4]
* Lee Rowlands [5] of the Drupal Security Team
Fixed By:
* Jürgen Haas [6]
* Lee Rowlands [7] of the Drupal Security Team
Coordinated By:
* Damien McKenna [8] of the Drupal Security Team
[1] https://www.drupal.org/project/user_hash
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/user_hash/releases/2.0.1
[4] https://www.drupal.org/user/168924
[5] https://www.drupal.org/user/395439
[6] https://www.drupal.org/user/168924
[7] https://www.drupal.org/user/395439
[8] https://www.drupal.org/u/damienmckenna
More information about the Security-news
mailing list