From security em unicamp.br Wed Sep 20 15:39:42 2023 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 20 Sep 2023 15:39:42 -0300 Subject: [SECURITY-L] Fwd: [Security-news] Drupal core - Critical - Cache poisoning - SA-CORE-2023-006 In-Reply-To: References: Message-ID: ---------- Forwarded message --------- De: Date: qua., 20 de set. de 2023 às 14:44 Subject: [Security-news] Drupal core - Critical - Cache poisoning - SA-CORE-2023-006 To: View online: https://www.drupal.org/sa-core-2023-006 Project: Drupal core [1] Date: 2023-September-20 Security risk: *Critical* 16?25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cache poisoning Affected versions: >=8.7.0 <9.5.11 || >=10.0 <10.0.11 || >= 10.1 <10.1.4 Description: In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected. Drupal Steward [3] partners have been made aware of this issue. Some platforms may provide mitigations. However, not all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this security release if your site uses JSON:API. Solution: Install the latest version: * If you are using Drupal 10.1, update to Drupal 10.1.4 [4]. * If you are using Drupal 10.0, update to Drupal 10.0.11 [5]. * If you are using Drupal 9.5, update to Drupal 9.5.11 [6]. All versions of Drupal 9 prior to 9.5 are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [7]. Drupal 7 is not affected. Reported By: * ghostccamm [8] Fixed By: * Drew Webber [9] of the Drupal Security Team * Peter Wolanin [10] of the Drupal Security Team * Nathaniel Catchpole [11] of the Drupal Security Team * Alex Bronstein [12] of the Drupal Security Team * Lee Rowlands [13] of the Drupal Security Team * xjm [14] of the Drupal Security Team * Wim Leers [15] * Benji Fisher [16] of the Drupal Security Team [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/project/drupal/releases/10.1.4 [5] https://www.drupal.org/project/drupal/releases/10.0.11 [6] https://www.drupal.org/project/drupal/releases/9.5.11 [7] https://www.drupal.org/psa-2021-06-29 [8] https://www.drupal.org/user/3778490 [9] https://www.drupal.org/user/255969 [10] https://www.drupal.org/user/49851 [11] https://www.drupal.org/user/35733 [12] https://www.drupal.org/user/78040 [13] https://www.drupal.org/user/395439 [14] https://www.drupal.org/user/65776 [15] https://www.drupal.org/user/99777 [16] https://www.drupal.org/user/683300 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Sep 27 14:57:54 2023 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 27 Sep 2023 14:57:54 -0300 Subject: [SECURITY-L] [Security-news] Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-contrib-2023-046 Project: Entity cache [1] Date: 2023-September-27 Security risk: *Critical* 16?25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Information disclosure Description: Entity Cache puts core entities into Drupal's cache API. A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input. The impact of this bug should be relatively minor in most configurations, but in worst-case scenarios it could lead to significant Access Bypass. Solution: Install the latest version: * If you use the Entity cache module for Drupal 7.x, upgrade to Entity cache 7.x-1.7 [3]. Reported By: * Gary Sargent [4] Fixed By: * Damien McKenna [5] of the Drupal Security Team * Gary Sargent [6] * Drew Webber [7] of the Drupal Security Team * Jess [8] of the Drupal Security Team * Lee Rowlands [9] of the Drupal Security Team * Juraj Nemec [10] of the Drupal Security Team * Linus Cash [11] * Neil Hodgkinson [12] Coordinated By: * Damien McKenna [13] of the Drupal Security Team * Drew Webber [14] of the Drupal Security Team * Jess [15] of the Drupal Security Team * Greg Knaddison [16] of the Drupal Security Team [1] https://www.drupal.org/project/entitycache [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/entitycache/releases/7.x-1.7 [4] https://www.drupal.org/user/3783192 [5] https://www.drupal.org/user/108450 [6] https://www.drupal.org/user/3783192 [7] https://www.drupal.org/user/255969 [8] https://www.drupal.org/user/65776 [9] https://www.drupal.org/user/395439 [10] https://www.drupal.org/user/272316 [11] https://www.drupal.org/user/3783315 [12] https://www.drupal.org/user/3783314 [13] https://www.drupal.org/user/108450 [14] https://www.drupal.org/user/255969 [15] https://www.drupal.org/user/65776 [16] https://www.drupal.org/user/36762 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: