[Security-news] Registration role - Critical - Access bypass - SA-CONTRIB-2024-015
security-news at drupal.org
security-news at drupal.org
Wed Mar 6 17:26:16 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-015
Project: Registration role [1]
Date: 2024-March-06
Security risk: *Critical* 18∕25
AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <2.0.1
Description:
The Registration role module lets an administrator select a role (or multiple
roles) to automatically assign to new users. The selected role (or roles)
will be assigned to new registrants.
The module has a logic error when handling sites that upgraded code and did
not run the Drupal update process (e.g. update.php).
This vulnerability is mitigated by the fact that the problem does not exist
on sites that followed the process of updating code and running the standard
updates.
Solution:
Install the latest version:
* If you use the Registration role module version 2.x, upgrade to
Registration role 2.0.1 [3]
Review user accounts registered between 2023 July 11 and now for having
additional roles you did not intend for them to have. If your site missed or
reverted an update to configuration in the version 2.0.0 release of
Registration Role (or development branch from 2020 August 17 on),
non-selected roles were not removed from configuration. Without this update,
up until you re-saved the settings form or until you install the new release
- whichever came first - users who registered receive /all/ roles.
Also, upgrade to the latest version /and run update hooks/ at update.php or
with Drush, drush updb
OR: Immediately re-save the the configuration page at
/admin/people/registration-role
Reported By:
* Pamela Barone [4]
* Renaud Joubert [5]
Fixed By:
* Juraj Nemec [6] of the Drupal Security Team
* Benjamin Melançon [7]
Coordinated By:
* Juraj Nemec [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
* Drew Webber [10] of the Drupal Security Team
[1] https://www.drupal.org/project/registration_role
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/registration_role/releases/2.0.1
[4] https://www.drupal.org/user/1431110
[5] https://www.drupal.org/user/549974
[6] https://www.drupal.org/user/272316
[7] https://www.drupal.org/user/64383
[8] https://www.drupal.org/user/272316
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/255969
More information about the Security-news
mailing list