[SECURITY-L] Fwd: [Security-news] Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011
CSIRT Unicamp
security em unicamp.br
Qua Dez 18 17:28:32 -03 2019
View online: https://www.drupal.org/sa-core-2019-011
Project: Drupal core [1]
Version: 8.8.x-dev8.7.x-dev
Date: 2019-December-18
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
The Media Library module has a security vulnerability whereby it doesn't
sufficiently restrict access to media items in certain configurations.
Solution:
* If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11 [3].
* If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1 [4].
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.
Alternatively, you may mitigate this vulnerability by unchecking the "Enable
advanced UI" checkbox on /admin/config/media/media-library. (This mitigation
is not available in 8.7.x.)
Reported By:
* Adam G-H [5]
Fixed By:
* Adam G-H [6]
* Jess [7] of the Drupal Security Team
* Andrei Mateescu [8]
* Greg Knaddison [9] of the Drupal Security Team
* Alex Bronstein [10] of the Drupal Security Team
* Sean Blommaert [11]
* Lee Rowlands [12] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://security.drupal.org/project/drupal/releases/8.7.11
[4] https://security.drupal.org/project/drupal/releases/8.8.1
[5] https://www.drupal.org/user/205645
[6] https://www.drupal.org/user/205645
[7] https://www.drupal.org/user/65776
[8] https://www.drupal.org/user/729614
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/78040
[11] https://www.drupal.org/user/545912
[12] https://www.drupal.org/user/395439
_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20191218/ac4bc659/attachment.html>
Mais detalhes sobre a lista de discussão SECURITY-L