[Security-news] Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007
security-news at drupal.org
security-news at drupal.org
Wed Mar 1 17:54:28 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-007
Project: Thunder [1]
Date: 2023-March-01
Security risk: *Moderately critical* 13∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: >=6.4.0 <6.4.6 || >=6.5.0 <6.5.3
Description:
Thunder is a Drupal distribution for professional publishing. The thunder
distribution ships the thunder_gqls module which provides a graphql
interface.
The module doesn't sufficiently check access when serving user data via
graphql leading to an access bypass vulnerability potentially exposing email
addresses.
Solution:
Install the latest version:
* If you use the thunder distribution for Drupal 9.x and have the
thunder_gqls module enabled, upgrade to thunder 6.4.6 [3] or thunder
6.5.3
[4] respectively.
Reported By:
* Steffen Schlaer [5]
Fixed By:
* Volker Killesreiter [6]
* Alexander Varwijk [7]
* Steffen Schlaer [8]
* Klaus Purer [9]
* Daniel Bosen [10]
Coordinated By:
* Greg Knaddison [11] of the Drupal Security Team
[1] https://www.drupal.org/project/thunder
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/thunder/releases/6.4.6
[4] https://www.drupal.org/project/thunder/releases/6.5.3
[5] https://www.drupal.org/user/324945
[6] https://www.drupal.org/user/57527
[7] https://www.drupal.org/user/1868952
[8] https://www.drupal.org/user/324945
[9] https://www.drupal.org/user/262198
[10] https://www.drupal.org/user/404865
[11] https://www.drupal.org/user/36762
More information about the Security-news
mailing list