[SECURITY-L] [Security-news] Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

CSIRT Unicamp security em unicamp.br
Quarta Setembro 27 14:57:54 -03 2023 

View online: https://www.drupal.org/sa-contrib-2023-046

Project: Entity cache [1]
Date: 2023-September-27
Security risk: *Critical* 16∕25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Information disclosure

Description:
Entity Cache puts core entities into Drupal's cache API.

A recent release of the module does not sanitize certain inputs
appropriately. This can lead to unintended behavior when wildcard characters
are included in the input.

The impact of this bug should be relatively minor in most configurations,
but
in worst-case scenarios it could lead to significant Access Bypass.

Solution:
Install the latest version:

   * If you use the Entity cache module for Drupal 7.x, upgrade to Entity
cache
     7.x-1.7 [3].

Reported By:
   * Gary Sargent [4]

Fixed By:
   * Damien McKenna [5] of the Drupal Security Team
   * Gary Sargent [6]
   * Drew Webber [7] of the Drupal Security Team
   * Jess [8] of the Drupal Security Team
   * Lee Rowlands [9] of the Drupal Security Team
   * Juraj Nemec [10] of the Drupal Security Team
   * Linus Cash [11]
   * Neil Hodgkinson [12]

Coordinated By:
   * Damien McKenna [13] of the Drupal Security Team
   * Drew Webber [14] of the Drupal Security Team
   * Jess [15] of the Drupal Security Team
   * Greg Knaddison [16] of the Drupal Security Team


[1] https://www.drupal.org/project/entitycache
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/entitycache/releases/7.x-1.7
[4] https://www.drupal.org/user/3783192
[5] https://www.drupal.org/user/108450
[6] https://www.drupal.org/user/3783192
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/272316
[11] https://www.drupal.org/user/3783315
[12] https://www.drupal.org/user/3783314
[13] https://www.drupal.org/user/108450
[14] https://www.drupal.org/user/255969
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20230927/eefcdf02/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L