[Security-news] Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031
security-news at drupal.org
security-news at drupal.org
Wed Mar 23 17:08:54 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-031
Project: Role Delegation [1]
Date: 2022-March-23
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Privilege escalation
Description:
This module allows site administrators to grant specific roles the authority
to assign selected roles to users, without them needing the administer
permissions permission.
The module contains an access bypass vulnerability when used in combination
with the Views Bulk Operations module. An authenticated user is able to
assign the administrator role to his own user.
This vulnerability is mitigated by the fact that an attacker must have access
to an overview of users with the views bulk operations module enabled. E.g.
The admin_views module provides such a view.
Solution:
Install the latest version:
* If you use the Role Delegation module for Drupal 7.x, upgrade to Role
Delegation 7.x-1.3 [3]
Reported By:
* Michael Forbes [4]
* Jeroen Tubex [5]
* Stein Setvik [6]
Fixed By:
* Michael Forbes [7]
* Jeroen Tubex [8]
* Stein Setvik [9]
Coordinated By:
* Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/role_delegation
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/role_delegation/releases/7.x-1.3
[4] https://www.drupal.org/user/1810100
[5] https://www.drupal.org/user/2228934
[6] https://www.drupal.org/user/77805
[7] https://www.drupal.org/user/1810100
[8] https://www.drupal.org/user/2228934
[9] https://www.drupal.org/user/77805
[10] https://www.drupal.org/user/36762
More information about the Security-news
mailing list