[Security-news] Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057
security-news at drupal.org
security-news at drupal.org
Wed Nov 6 17:21:52 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-057
Project: Basic HTTP Authentication [1]
Date: 2024-November-06
Security risk: *Critical* 16 ∕ 25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
The module provides a possibility to restrict access to specific paths using
basic HTTP authentication, in addition to standard Drupal access checks.
In some cases, the module removes existing access checks from some paths,
resulting in an access bypass vulnerability.
Solution:
Install the latest version:
* If you use the Basic HTTP Authentication module for Drupal 7.x, upgrade
to
Basic Authentication 7.x-1.4 [3]
Reported By:
* Roderik Muit [4]
Fixed By:
* Roderik Muit [5]
* Ivo Van Geertruyen [6] of the Drupal Security Team
Coordinated By:
* Ivo Van Geertruyen [7] of the Drupal Security Team
[1] https://www.drupal.org/project/basic_auth
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/basic_auth/releases/7.x-1.4
[4] https://www.drupal.org/user/8841
[5] https://www.drupal.org/user/8841
[6] https://www.drupal.org/user/383424
[7] https://www.drupal.org/user/383424
More information about the Security-news
mailing list