[Security-news] Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054
security-news at drupal.org
security-news at drupal.org
Wed Sep 7 17:34:23 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-054
Project: Next.js [1]
Version: 1.2.01.1.01.0.0
Date: 2022-September-07
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
The Next.js module provides an inline preview for content. Authenticated
requests are made to Drupal to fetch JSON:API content and render them in an
iframe from the decoupled Next.js site.
The current implementation doesn’t sufficiently check access for fetching
data. All requests made to Drupal are authenticated using a single scope with
elevated content access. Users without access to content could be exposed to
unauthorized content.
Solution:
If you use the Next.js module for Drupal 9.x:
1) Upgrade to version v1.3.0 [3].
2) Edit the Next.js user and assign all roles that can be used as scopes.
The granted roles will be filtered based on roles assigned to the
current
user.
See the upgrade guide at https://next-drupal.org/docs/upgrade-guide [4].
Reported By:
* Lauri Eskola [5]
Fixed By:
* Lauri Eskola [6]
* shadcn [7]
* Minnur Yunusov [8]
Coordinated By:
* Damien McKenna [9] of the Drupal Security Team
[1] https://www.drupal.org/project/next
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/next/releases/1.3.0
[4] https://next-drupal.org/docs/upgrade-guide
[5] https://www.drupal.org/user/1078742
[6] https://www.drupal.org/user/1078742
[7] https://www.drupal.org/user/571032
[8] https://www.drupal.org/user/702026
[9] https://www.drupal.org/user/108450
More information about the Security-news
mailing list