[SECURITY-L] [Security-news] Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004

CSIRT Unicamp security em unicamp.br
Quinta Novembro 21 09:30:48 -03 2024 

View online: https://www.drupal.org/sa-core-2024-004

Project: Drupal core [1]
Date: 2024-November-20
Security risk: *Moderately critical* 10 ∕ 25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 <
11.0.8
Description:
Drupal's uniqueness checking for certain user fields is inconsistent
depending on the database engine and its collation.

As a result, a user may be able to register with the same email address as
another user.

This may lead to data integrity issues.

Solution:
Install the latest version:

   * If you are using Drupal 10.2, update to Drupal 10.2.11. [3]
   * If you are using Drupal 10.3, update to Drupal 10.3.9. [4]
   * If you are using Drupal 11.0, update to Drupal 11.0.8. [5]
   * Drupal 7 is not affected.

All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive
security coverage. (Drupal 8 [6] and Drupal 9 [7] have both reached
end-of-life.)

Updating Drupal will not solve potential issues with existing accounts
affected by this bug. See Fixing emails that vary only by case [8] for
additional guidance.

Reported By:
   * Wayne Eaker [9]

Fixed By:
   * Wayne Eaker [10]
   * cilefen  [11] of the Drupal Security Team
   * Kristiaan Van den Eynde [12]
   * Drew Webber [13] of the Drupal Security Team
   * Lee Rowlands [14] of the Drupal Security Team

Coordinated By:
   * Juraj Nemec [15] of the Drupal Security Team
   * Benji Fisher [16] of the Drupal Security Team
   * xjm [17] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.2.11
[4] https://www.drupal.org/project/drupal/releases/10.3.9
[5] https://www.drupal.org/project/drupal/releases/11.0.8
[6] https://www.drupal.org/psa-2021-06-29
[7] https://www.drupal.org/psa-2023-11-01
[8] https://www.drupal.org/node/3486109
[9] https://www.drupal.org/user/326925
[10] https://www.drupal.org/user/326925
[11] https://www.drupal.org/user/1850070
[12] https://www.drupal.org/user/1345130
[13] https://www.drupal.org/user/255969
[14] https://www.drupal.org/user/395439
[15] https://www.drupal.org/user/272316
[16] https://www.drupal.org/user/683300
[17] https://www.drupal.org/u/xjm

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20241121/f7355eed/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L