From security em unicamp.br Wed Mar 6 14:29:56 2024 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 6 Mar 2024 14:29:56 -0300 Subject: [SECURITY-L] [Security-news] Registration role - Critical - Access bypass - SA-CONTRIB-2024-015 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-contrib-2024-015 Project: Registration role [1] Date: 2024-March-06 Security risk: *Critical* 18?25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Affected versions: <2.0.1 Description: The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants. The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php). This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates. Solution: Install the latest version: * If you use the Registration role module version 2.x, upgrade to Registration role 2.0.1 [3] Review user accounts registered between 2023 July 11 and now for having additional roles you did not intend for them to have. If your site missed or reverted an update to configuration in the version 2.0.0 release of Registration Role (or development branch from 2020 August 17 on), non-selected roles were not removed from configuration. Without this update, up until you re-saved the settings form or until you install the new release - whichever came first - users who registered receive /all/ roles. Also, upgrade to the latest version /and run update hooks/ at update.php or with Drush, drush updb OR: Immediately re-save the the configuration page at /admin/people/registration-role Reported By: * Pamela Barone [4] * Renaud Joubert [5] Fixed By: * Juraj Nemec [6] of the Drupal Security Team * Benjamin Melançon [7] Coordinated By: * Juraj Nemec [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team * Drew Webber [10] of the Drupal Security Team [1] https://www.drupal.org/project/registration_role [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/registration_role/releases/2.0.1 [4] https://www.drupal.org/user/1431110 [5] https://www.drupal.org/user/549974 [6] https://www.drupal.org/user/272316 [7] https://www.drupal.org/user/64383 [8] https://www.drupal.org/user/272316 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/255969 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: