[SECURITY-L] [Security-news] REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018

CSIRT Unicamp security em unicamp.br
Quarta Abril 24 14:24:43 -03 2024 

View online: https://www.drupal.org/sa-contrib-2024-018

Project: REST Views [1]
Date: 2024-April-24
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information Disclosure

Affected versions: <3.0.1
Description:
The Rest views module lets site admins create rest exports in views with
additional options for serializing data.

This module does not accurately check access and may expose paths to
unpublished content.

This vulnerability is mitigated by the fact that there must be a specific
content structure to expose.

Paths to unpublished entities (such as nodes) will be exposed if those
entities are referenced from other entities listed in a REST display, and
the
reference field on those listed entities is displayed with the "Entity path"
formatter.

Solution:
Install the latest version:

   * REST Views 8.x-1.x versions are unsupported.
   * REST Views 2.x versions upgrade to Rest Views 3.0.1 [3]
   * REST Views 3.x versions prior to 3.0.1 upgrade to Rest Views 3.0.1 [4]

Reported By:
   * nicxvan [5]

Fixed By:
   * nicxvan [6]

Coordinated By:
   * Benji Fisher [7] of the Drupal Security Team
   * Greg Knaddison [8] of the Drupal Security Team
   * Cathy Theys [9] of the Drupal Security Team


[1] https://www.drupal.org/project/rest_views
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/rest_views/releases/3.0.1
[4] https://www.drupal.org/project/rest_views/releases/3.0.1
[5] https://www.drupal.org/user/531480
[6] https://www.drupal.org/user/531480
[7] https://www.drupal.org/user/683300
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/258568

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20240424/28ca5f6b/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L