[Security-news] Group - Less critical - Access bypass - SA-CONTRIB-2023-054
security-news at drupal.org
security-news at drupal.org
Wed Dec 6 18:22:33 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-054
Project: Group [1]
Date: 2023-December-06
Security risk: *Less critical* 8∕25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: >=2.0.0 <2.2.2 || >=3.0.0 <3.2.2
Description:
The Group module has the ability to make content private to specific groups.
When viewing a list of entities, e.g. nodes, a visitor should only see those
entities that are either not attached to a group or that they have group
access to.
The module doesn't sufficiently enforce list access under the scenario where
two users have the same outsider and insider permissions, but are members of
different groups without any individual roles being assigned to said
memberships. In such a scenario, the permissions hash for both will be the
same even though it should differ.
This vulnerability is mitigated by the fact that an attacker must have the
same hash as someone else, which is quite rare yet not unthinkable.
Solution:
Install the latest version:
* Sites using Group version 2 should upgrade to Group v2.2.2 [3]
* Sites using Group version 3 should upgrade to Group v3.2.2 [4]
Reported By:
* Dylan Donkersgoed [5]
Fixed By:
* Dylan Donkersgoed [6]
* Péter Keszthelyi [7]
* Austin Mitchell [8]
* Ian Bullock [9]
Coordinated By:
* Damien McKenna [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team
[1] https://www.drupal.org/project/group
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/group/releases/2.2.2
[4] https://www.drupal.org/project/group/releases/3.2.2
[5] https://www.drupal.org/user/2803351
[6] https://www.drupal.org/user/2803351
[7] https://www.drupal.org/user/1939064
[8] https://www.drupal.org/user/3534491
[9] https://www.drupal.org/user/1291942
[10] https://www.drupal.org/user/108450
[11] https://www.drupal.org/user/36762
More information about the Security-news
mailing list