drupal security adv

Subscribe to drupal security adv feed
Updated: 3 days 12 hours ago

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

Wed, 07/20/2022 - 17:41
Project: Drupal coreDate: 2022-July-20Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Multiple vulnerabilitiesCVE IDs: CVE-2022-25276Description: 

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media module and therefore is not affected.

Reported By: 
  • Heine of the Drupal Security Team
Fixed By: 

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

Wed, 07/20/2022 - 17:40
Project: Drupal coreDate: 2022-July-20Security risk: Critical 15∕25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionCVE IDs: CVE-2022-25277Description: 

Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers.

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers.

This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Auditing your files directory's .htaccess to ensure it has not been overwritten or overridden in a subdirectory

If your web server uses Apache httpd with AllowOverride, you should check within your files directories and subdirectories to ensure that any .htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory:

find ./ -name ".htaccess" -print

Drupal automatically creates .htaccess files like the following in the root of the public files directory:

# Turn off all options we don't need. Options -Indexes -ExecCGI -Includes -MultiViews # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files> # If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php7.c> php_flag engine off </IfModule> <IfModule mod_php.c> php_flag engine off </IfModule>

Check with your system administrator for the correct .htaccess configuration for the given files directory.

This advisory is not covered by Drupal Steward.

Reported By: Fixed By: 

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Wed, 07/20/2022 - 17:35
Project: Drupal coreDate: 2022-July-20Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access BypassCVE IDs: CVE-2022-25278Description: 

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Reported By: Fixed By: 

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

Wed, 07/20/2022 - 17:34
Project: Drupal coreDate: 2022-July-20Security risk: Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureCVE IDs: CVE-2022-25275Description: 

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Reported By: Fixed By: 

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Fri, 06/10/2022 - 21:39
Project: Drupal coreDate: 2022-June-10Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Third-party librariesCVE IDs: CVE-2022-31042CVE-2022-31043Description: 

Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.

We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 is not affected.

Advanced users may also work around this issue by temporarily using drupal/core instead of drupal/core-recommended and then updating Guzzle to the desired version. More information on managing Guzzle with Drupal 9.4.

Reported By: Fixed By: 

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

Wed, 05/25/2022 - 21:39
Project: Drupal coreDate: 2022-May-25Security risk: Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Third-party librariesCVE IDs: CVE-2022-29248Description: 

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.

We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerability, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as high-risk.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 is not affected.

Reported By: Fixed By: