[Security-news] OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056
security-news at drupal.org
security-news at drupal.org
Wed Oct 30 17:53:05 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-056
Project: OhDear Integration [1]
Date: 2024-October-30
Security risk: *Moderately critical* 13 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <2.0.4
Description:
Integrates your Drupal website with the Oh Dear monitoring app.
Cached data of monitoring results is accessible to non-logged in users when
caching is enabled on the module.
This vulnerability is mitigated by the fact that it only affects sites where
caching is enabled for OhDear report healthcheck endpoint. It is not enabled
by default and there's no UI option to do it. It has to be done directly in
the ohdear_integration.settings.yml.
Solution:
Install the latest version:
* If you use the OhDear Integration module, upgrade to 2.0.4 version. [3]
Reported By:
* casey [4]
Fixed By:
* casey [5]
* Lio Novelli [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
* Juraj Nemec [8] of the Drupal Security Team
[1] https://www.drupal.org/project/ohdear_integration
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ohdear_integration/releases/2.0.4
[4] https://www.drupal.org/user/32403
[5] https://www.drupal.org/user/32403
[6] https://www.drupal.org/user/3542704
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/272316
More information about the Security-news
mailing list