
<div dir="ltr"><div><br></div><div class="gmail_quote"><br>View online: <a href="https://www.drupal.org/sa-core-2024-004" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2024-004</a><br>

<br>

Project: Drupal core [1]<br>

Date: 2024-November-20<br>

Security risk: *Moderately critical* 10 ∕ 25<br>

AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]<br>

Vulnerability: Access bypass<br>

<br>

Affected versions: >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 <<br>

11.0.8<br>

Description: <br>

Drupal's uniqueness checking for certain user fields is inconsistent<br>

depending on the database engine and its collation.<br>

<br>

As a result, a user may be able to register with the same email address as<br>

another user.<br>

<br>

This may lead to data integrity issues.<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

   * If you are using Drupal 10.2, update to Drupal 10.2.11. [3]<br>

   * If you are using Drupal 10.3, update to Drupal 10.3.9. [4]<br>

   * If you are using Drupal 11.0, update to Drupal 11.0.8. [5]<br>

   * Drupal 7 is not affected.<br>

<br>

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive<br>

security coverage. (Drupal 8 [6] and Drupal 9 [7] have both reached<br>

end-of-life.)<br>

<br>

Updating Drupal will not solve potential issues with existing accounts<br>

affected by this bug. See Fixing emails that vary only by case [8] for<br>

additional guidance.<br>

<br>

Reported By: <br>

   * Wayne Eaker [9]<br>

<br>

Fixed By: <br>

   * Wayne Eaker [10]<br>

   * cilefen  [11] of the Drupal Security Team<br>

   * Kristiaan Van den Eynde [12]<br>

   * Drew Webber [13] of the Drupal Security Team<br>

   * Lee Rowlands [14] of the Drupal Security Team<br>

<br>

Coordinated By: <br>

   * Juraj Nemec [15] of the Drupal Security Team<br>

   * Benji Fisher [16] of the Drupal Security Team<br>

   * xjm [17] of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://www.drupal.org/project/drupal/releases/10.2.11" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/10.2.11</a><br>

[4] <a href="https://www.drupal.org/project/drupal/releases/10.3.9" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/10.3.9</a><br>

[5] <a href="https://www.drupal.org/project/drupal/releases/11.0.8" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/11.0.8</a><br>

[6] <a href="https://www.drupal.org/psa-2021-06-29" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2021-06-29</a><br>

[7] <a href="https://www.drupal.org/psa-2023-11-01" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2023-11-01</a><br>

[8] <a href="https://www.drupal.org/node/3486109" rel="noreferrer" target="_blank">https://www.drupal.org/node/3486109</a><br>

[9] <a href="https://www.drupal.org/user/326925" rel="noreferrer" target="_blank">https://www.drupal.org/user/326925</a><br>

[10] <a href="https://www.drupal.org/user/326925" rel="noreferrer" target="_blank">https://www.drupal.org/user/326925</a><br>

[11] <a href="https://www.drupal.org/user/1850070" rel="noreferrer" target="_blank">https://www.drupal.org/user/1850070</a><br>

[12] <a href="https://www.drupal.org/user/1345130" rel="noreferrer" target="_blank">https://www.drupal.org/user/1345130</a><br>

[13] <a href="https://www.drupal.org/user/255969" rel="noreferrer" target="_blank">https://www.drupal.org/user/255969</a><br>

[14] <a href="https://www.drupal.org/user/395439" rel="noreferrer" target="_blank">https://www.drupal.org/user/395439</a><br>

[15] <a href="https://www.drupal.org/user/272316" rel="noreferrer" target="_blank">https://www.drupal.org/user/272316</a><br>

[16] <a href="https://www.drupal.org/user/683300" rel="noreferrer" target="_blank">https://www.drupal.org/user/683300</a><br>

[17] <a href="https://www.drupal.org/u/xjm" rel="noreferrer" target="_blank">https://www.drupal.org/u/xjm</a><br>

<br>

_______________________________________________<br>

Security-news mailing list<br>

<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>

Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>

</div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><br class="gmail-Apple-interchange-newline">===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div><br class="gmail-Apple-interchange-newline"></div></div>