
<div dir="ltr">

View online: <a href="https://www.drupal.org/sa-core-2023-002" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2023-002</a><br>

<br>

Project: Drupal core [1]<br>

Date: 2023-March-15<br>

Security risk: *Moderately critical* 14∕25<br>

AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]<br>

Vulnerability: Information Disclosure<br>

<br>

Affected versions: >=8.0.0 <9.4.12 || >=9.5.0 <9.5.5 || >=10.0.0 <10.0.5<br>

Description: <br>

The Media module does not properly check entity access in some circumstances.<br>

This may result in users seeing thumbnails of media items they do not have<br>

access to, including for private files.<br>

<br>

This release was coordinated with SA-CONTRIB-2023-010 [3].<br>

<br>

This advisory is not covered by Drupal Steward [4].<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

   * If you are using Drupal 10.0, update to Drupal 10.0.5 [5].<br>

   * If you are using Drupal 9.5, update to Drupal 9.5.5 [6].<br>

   * If you are using Drupal 9.4, update to Drupal 9.4.12 [7].<br>

<br>

All versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive<br>

security coverage. Note that Drupal 8 has reached its end of life [8].<br>

<br>

Drupal 7 core does not include the Media Library module and therefore is not<br>

affected.<br>

<br>

Reported By: <br>

   * James Williams [9]<br>

   * Dan Flanagan [10]<br>

<br>

Fixed By: <br>

   * Lee Rowlands [11] of the Drupal Security Team<br>

   * James Williams [12]<br>

   * Jess  [13] of the Drupal Security Team<br>

   * Dave Long [14] of the Drupal Security Team<br>

   * Dan Flanagan [15]<br>

   * Jen Lampton [16] Provisional Member of the Drupal Security Team<br>

   * Joseph Zhao [17] Provisional Member of the Drupal Security Team<br>

   * Benji Fisher [18] of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://www.drupal.org/sa-contrib-2023-010" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2023-010</a><br>

[4] <a href="https://www.drupal.org/steward" rel="noreferrer" target="_blank">https://www.drupal.org/steward</a><br>

[5] <a href="https://www.drupal.org/project/drupal/releases/10.0.5" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/10.0.5</a><br>

[6] <a href="https://www.drupal.org/project/drupal/releases/9.5.5" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.5.5</a><br>

[7] <a href="https://www.drupal.org/project/drupal/releases/9.4.12" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.4.12</a><br>

[8] <a href="https://www.drupal.org/psa-2021-06-29" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2021-06-29</a><br>

[9] <a href="https://www.drupal.org/user/592268" rel="noreferrer" target="_blank">https://www.drupal.org/user/592268</a><br>

[10] <a href="https://www.drupal.org/user/3615359" rel="noreferrer" target="_blank">https://www.drupal.org/user/3615359</a><br>

[11] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><br>

[12] <a href="https://www.drupal.org/user/592268" rel="noreferrer" target="_blank">https://www.drupal.org/user/592268</a><br>

[13] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65776</a><br>

[14] <a href="https://www.drupal.org/user/246492" rel="noreferrer" target="_blank">https://www.drupal.org/user/246492</a><br>

[15] <a href="https://www.drupal.org/user/3615359" rel="noreferrer" target="_blank">https://www.drupal.org/user/3615359</a><br>

[16] <a href="https://www.drupal.org/user/85586" rel="noreferrer" target="_blank">https://www.drupal.org/user/85586</a><br>

[17] <a href="https://www.drupal.org/user/1987218" rel="noreferrer" target="_blank">https://www.drupal.org/user/1987218</a><br>

[18] <a href="https://www.drupal.org/user/683300" rel="noreferrer" target="_blank">https://www.drupal.org/user/683300</a><br>

<br>

_______________________________________________<br>

Security-news mailing list<br>

<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>

Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><div class="gmail-yj6qo"></div><div class="gmail-adL"><br>

</div>


<div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div></div>