
<div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br></div></div></div><div class="gmail_quote">View online: <a href="https://www.drupal.org/sa-contrib-2023-046" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2023-046</a><br>

<br>

Project: Entity cache [1]<br>

Date: 2023-September-27<br>

Security risk: *Critical* 16∕25<br>

AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2]<br>

Vulnerability: Information disclosure<br>

<br>

Description: <br>

Entity Cache puts core entities into Drupal's cache API.<br>

<br>

A recent release of the module does not sanitize certain inputs<br>

appropriately. This can lead to unintended behavior when wildcard characters<br>

are included in the input.<br>

<br>

The impact of this bug should be relatively minor in most configurations, but<br>

in worst-case scenarios it could lead to significant Access Bypass.<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

   * If you use the Entity cache module for Drupal 7.x, upgrade to Entity <br>

cache<br>

     7.x-1.7 [3].<br>

<br>

Reported By: <br>

   * Gary Sargent [4]<br>

<br>

Fixed By: <br>

   * Damien McKenna [5] of the Drupal Security Team<br>

   * Gary Sargent [6]<br>

   * Drew Webber [7] of the Drupal Security Team<br>

   * Jess [8] of the Drupal Security Team<br>

   * Lee Rowlands [9] of the Drupal Security Team<br>

   * Juraj Nemec [10] of the Drupal Security Team<br>

   * Linus Cash [11]<br>

   * Neil Hodgkinson [12]<br>

<br>

Coordinated By: <br>

   * Damien McKenna [13] of the Drupal Security Team<br>

   * Drew Webber [14] of the Drupal Security Team<br>

   * Jess [15] of the Drupal Security Team<br>

   * Greg Knaddison [16] of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/entitycache" rel="noreferrer" target="_blank">https://www.drupal.org/project/entitycache</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://www.drupal.org/project/entitycache/releases/7.x-1.7" rel="noreferrer" target="_blank">https://www.drupal.org/project/entitycache/releases/7.x-1.7</a><br>

[4] <a href="https://www.drupal.org/user/3783192" rel="noreferrer" target="_blank">https://www.drupal.org/user/3783192</a><br>

[5] <a href="https://www.drupal.org/user/108450" rel="noreferrer" target="_blank">https://www.drupal.org/user/108450</a><br>

[6] <a href="https://www.drupal.org/user/3783192" rel="noreferrer" target="_blank">https://www.drupal.org/user/3783192</a><br>

[7] <a href="https://www.drupal.org/user/255969" rel="noreferrer" target="_blank">https://www.drupal.org/user/255969</a><br>

[8] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65776</a><br>

[9] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><br>

[10] <a href="https://www.drupal.org/user/272316" rel="noreferrer" target="_blank">https://www.drupal.org/user/272316</a><br>

[11] <a href="https://www.drupal.org/user/3783315" rel="noreferrer" target="_blank">https://www.drupal.org/user/3783315</a><br>

[12] <a href="https://www.drupal.org/user/3783314" rel="noreferrer" target="_blank">https://www.drupal.org/user/3783314</a><br>

[13] <a href="https://www.drupal.org/user/108450" rel="noreferrer" target="_blank">https://www.drupal.org/user/108450</a><br>

[14] <a href="https://www.drupal.org/user/255969" rel="noreferrer" target="_blank">https://www.drupal.org/user/255969</a><br>

[15] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65776</a><br>

[16] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>

<br>

_______________________________________________<br>

Security-news mailing list<br>

<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>

Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>

</div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div>