Drupal security advisories

Project: 
Date: 
2019-July-17
Vulnerability: 
Access bypass
CVE IDs: 
CVE-2019-6342
Description: 

In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.

This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected.

Solution: 

If the site is running Drupal 8.7.4, upgrade to Drupal 8.7.5.

Note, manual step needed. For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.

Reported By: 
Fixed By: 

Project: 
Date: 
2019-May-08
Vulnerability: 
Third-party libraries
CVE IDs: 
CVE-2019-11831
Description: 

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor:

In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. […]

The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

The known vulnerability in Drupal core requires the “administer themes” permission. However, additional vulnerabilities may exist in contributed or custom modules, so site should still update even if they do not grant this permission.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Reported By: 
Fixed By: 

Project: 
Date: 
2019-April-17
Vulnerability: 
Cross Site Scripting
CVE IDs: 
CVE-2019-11358
Description: 

The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes:

jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, …). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

It’s possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update.

2019-04-22, edited to add CVE.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 
Fixed By: 

Project: 
Date: 
2019-April-17
Vulnerability: 
Multiple Vulnerabilities
Description: 

This security release fixes third-party dependencies included in or required by Drupal core.

  • CVE-2019-10909: Escape validation messages in the PHP templating engine. From that advisory:

    Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.

  • CVE-2019-10910: Check service IDs are valid. From that advisory:

    Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.

  • CVE-2019-10911: Add a separator in the remember me cookie hash. From that advisory:

    This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Also see the Drupal core project page.

Additional information

All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Reported By: 
Fixed By: 

Project: 
Date: 
2019-March-20
Vulnerability: 
Cross Site Scripting
CVE IDs: 
CVE-2019-6341
Description: 

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Solution: 

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By: 
Fixed By: 

Project: 
Date: 
2019-February-20
Vulnerability: 
Remote Code Execution
CVE IDs: 
CVE-2019-6340
Description: 

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or
  • the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)

Updates

  • 2019-02-22: Updated risk score given new information; see PSA-2019-02-22. The security risk score has been updated to 23/25 as there are now known exploits in the wild. In addition, any enabled REST resource end-point, even if it only accepts GET requests, is also vulnerable. Note this does not include REST exports from Views module.
Solution: 

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow GET/PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/.

Reported By: 
Fixed By: 

Project: 
Date: 
2019-January-16
Vulnerability: 
Arbitrary PHP code execution
CVE IDs: 
CVE-2019-6339
Description: 

A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Solution: 
  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
  • If you are using Drupal 7.x, upgrade to Drupal 7.62.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Known issues

This fix introduced a fatal error for some Drush installations when updating a site with Drush. New releases (8.6.7, 8.5.10, and 7.63) have been issued to resolve this regression. See the release notes for additional details.

Update information

.phar added to dangerous extensions list

The .phar file extension has been added to Drupal’s dangerous extensions list, which means that any such file uploaded to a Drupal file field will automatically be converted to a text file (with the .txt extension) to prevent it from being executed. This is similar to how Drupal handles file uploads with a .php extension.

phar:// stream wrapper disabled by default for Drupal 7 sites on PHP 5.3.2 and earlier

The replacement stream wrapper is not compatible with PHP versions lower than 5.3.3. Drupal 8 requires a higher PHP version than that, but for Drupal 7 sites using lower PHP versions, the built-in phar stream wrapper has been disabled rather than replaced. Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require phar support will need to re-enable the stream wrapper for it; however, note that re-enabling the stream wrapper will re-enable the insecure PHP behavior on those PHP versions.

It is very uncommon to both be running a PHP version lower than 5.3.3 and to need phar support. If you’re in that situation, consider upgrading your PHP version instead of restoring insecure phar support.

Reported By: 
Fixed By: 

Additional information

Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping “multiple vulnerabilities” into a single advisory. All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

Project: 
Date: 
2019-January-16
Vulnerability: 
Third Party Libraries
CVE IDs: 
CVE-2019-6338
Description: 

Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.

Solution: 
  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
  • If you are using Drupal 7.x, upgrade to Drupal 7.62.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Fixed By: 

Known issues

Users are reporting seeing a fatal error when updating their sites with Drush. Site owners may be able to run drush updb and either drush cc all or drush cr depending on the version to complete the update. Check the status report afterward to confirm that Drupal has been updated. See https://www.drupal.org/project/drupal/issues/3026386 for details.

Additional information

Note: Going forward, Drupal core will issue individual security advisories for separate vulnerabilities included in the release, rather than lumping “multiple vulnerabilities” into a single advisory. All advisories released today:

Updating to the latest Drupal core release will apply the fixes for all the above advisories.

  • Advisory ID: DRUPAL-SA-CORE-2018-006
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2018-October-17

Description

Content moderation – Moderately critical – Access bypass – Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:

ModerationStateConstraintValidator
Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.

Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.

User permissions
Previously users who didn’t have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.

Reported by

Fixed by

External URL injection through URL aliases – Moderately Critical – Open Redirect – Drupal 7 and Drupal 8

The path module allows users with the ‘administer paths’ to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

The issue is mitigated by the fact that the user needs the administer paths permission to exploit.

Reported by

Fixed by

Anonymous Open Redirect – Moderately Critical – Open Redirect – Drupal 8

Drupal core and contributed modules frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability has been publicly documented.

RedirectResponseSubscriber event handler removal

As part of the fix, \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.

Reported by

Fixed by

Injection in DefaultMailSystem::mail() – Critical – Remote Code Execution – Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

Reported by

Fixed by

Contextual Links validation – Critical – Remote Code Execution – Drupal 8

The Contextual Links module doesn’t sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.

Reported by

Fixed by

Solution

Upgrade to the most recent version of Drupal 7 or 8 core.

Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019.

  • Advisory ID: DRUPAL-SA-CORE-2018-005
  • Project: Drupal core
  • Version: 8.x
  • CVE: CVE-2018-14773
  • Date: 2018-August-01

Description

The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.

The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.

The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.

Versions affected

8.x versions before 8.5.6.

Solution

Upgrade to Drupal 8.5.6.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.

Reported By

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Project: 
Date: 
2018-April-25
Vulnerability: 
Remote Code Execution
CVE IDs: 
CVE-2018-7602
Description: 

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Updated — this vulnerability is being exploited in the wild.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, upgrade to Drupal 8.4.8. (Drupal 8.4.x is no longer supported and we don’t normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)

If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:

These patches will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)

Reported By: 
Fixed By: 

Project: 
Date: 
2018-April-18
Vulnerability: 
Cross Site Scripting
CVE IDs: 
CVE-2018-9861
Description: 

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Solution: 
  • If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
  • The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
  • If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor’s site.
Reported By: 
Fixed By: 

Project: 
Date: 
2018-March-28
Vulnerability: 
Remote Code Execution
CVE IDs: 
CVE-2018-7600
Description: 

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.

Your site’s update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.

This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.

Reported By: 
Fixed By: 

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Project: 
Version: 
8.4.x-dev
7.x-dev
Date: 
2018-February-21
Vulnerability: 
Multiple Vulnerabilities
Description: 

This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.

Comment reply form allows access to restricted content – Critical – Drupal 8 – CVE-2017-6926

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

JavaScript cross-site scripting prevention is incomplete – Critical – Drupal 7 and Drupal 8 – CVE-2017-6927

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

Private file access bypass – Moderately Critical – Drupal 7 – CVE-2017-6928

When using Drupal’s private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains – Moderately Critical – Drupal 7 – CVE-2017-6929

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains (the CVE for this issue in jQuery is CVE-2015-9251). This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Language fallback can be incorrect on multilingual sites with node access restrictions – Moderately Critical – Drupal 8 – CVE-2017-6930

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().

Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.

Settings Tray access bypass – Moderately Critical – Drupal 8 – CVE-2017-6931

The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.

If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.

This vulnerability can be mitigated by disabling the Settings Tray module.

External link injection on 404 pages when linking to the current page – Less Critical – Drupal 7 – CVE-2017-6932

Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution: 

Install the latest version:

Reported By: 
  • Comment reply form allows access to restricted content – Critical – Drupal 8

  • JavaScript cross-site scripting prevention is incomplete – Critical – Drupal 7 and Drupal 8)

  • Private file access bypass – Moderately Critical – Drupal 7

  • jQuery vulnerability with untrusted domains – Moderately Critical – Drupal 7

  • Language fallback can be incorrect on multilingual sites with node access restrictions – Moderately Critical – Drupal 8

  • Settings Tray access bypass – Moderately Critical – Drupal 8

  • External link injection on 404 pages when linking to the current page – Less Critical – Drupal 7

Fixed By: 

Drupal 8.3.7 is a maintenance release which contain fixes for security vulnerabilities.

Updating your existing Drupal 8 sites is strongly recommended (see instructions for Drupal 8). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

Description

Views – Access Bypass – Moderately Critical – Drupal 8 – CVE-2017-6923

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view.

It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

REST API can bypass comment approval – Access Bypass – Moderately Critical – Drupal 8 – CVE-2017-6924

When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments.

This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

Entity access bypass for entities that do not have UUIDs or have protected revisions – Access Bypass – Critical – Drupal 8 – CVE-2017-6925

There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.

Versions affected

  • Drupal core 8.x versions prior to 8.3.7

Solution

Install the latest version:

Drupal 7 core is not affected, however, Drupal 7 Views is: see Views – Moderately Critical – Access Bypass – DRUPAL-SA-CONTRIB-2017-068

Also see the Drupal core project page.

Reported by

Views – Access Bypass

REST API can bypass comment approval – Access Bypass

Entity access bypass for entities that do not have UUIDs or protected revisions – Access Bypass

Fixed by

Views – Access Bypass

REST API can bypass comment approval – Access Bypass

Entity access bypass for entities that do not have UUIDs or protected revisions – Access Bypass

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal 8.3.4 and Drupal 7.56 are maintenance releases which contain fixes for security vulnerabilities.

Updating your existing Drupal 8 and 7 sites is strongly recommended (see instructions for Drupal 8 and for Drupal 7). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.4 release notes and the 7.56 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

  • Advisory ID: DRUPAL-SA-CORE-2017-003
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2017-June-21
  • Multiple vulnerabilities

Description

PECL YAML parser unsafe object handling – Critical – Drupal 8 – CVE-2017-6920

PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This could lead to remote code execution.

File REST resource does not properly validate – Less Critical – Drupal 8 – CVE-2017-6921

The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users – Moderately Critical – Drupal 7 and Drupal 8 – CVE-2017-6922

Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

The security team has also received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system.

Versions affected

  • Drupal core 7.x versions prior to 7.56
  • Drupal core 8.x versions prior to 8.3.4

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

PECL YAML parser unsafe object handling

File REST resource does not properly validate

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users

Fixed by

PECL YAML parser unsafe object handling

File REST resource does not properly validate

Files uploaded by anonymous users into a private file system can be accessed by other anonymous users

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Description

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

  • The site has the RESTful Web Services (rest) module enabled.
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.

While we don’t normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.

CVE identifier(s) issued

  • CVE-2017-6919

Versions affected

  • Drupal 8 prior to 8.2.8 and 8.3.1.
  • Drupal 7.x is not affected.

Solution

  • If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
  • If the site is running Drupal 8.3.0, upgrade to 8.3.1.

Also see the Drupal core project page.

Reported by

Fixed by

Coordinated by

  • The Drupal Security team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

Update your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

  • Advisory ID: DRUPAL-SA-CORE-2017-001
  • Project: Drupal core
  • Version: 8.x
  • Date: 2017-March-15

Description

Editor module incorrectly checks access to inline private files – Drupal 8 – Access Bypass – Critical – CVE-2017-6377

When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.

Some admin paths were not protected with a CSRF token – Drupal 8 – Cross Site Request Forgery – Moderately Critical – CVE-2017-6379

Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

Remote code execution – Drupal 8 – Remote code execution – Moderately Critical – CVE-2017-6381

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution.

This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren’t normal installed.

You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments.

Solution

Update to Drupal 8.2.7

Reported by

Editor module incorrectly checks access to inline private files – Drupal 8 – Access Bypass – Critical – CVE-2017-6377

Some admin paths were not protected with a CSRF token – Drupal 8 – Cross Site Request Forgery – Moderately Critical – CVE-2017-6379

Remote code execution – Drupal 8 – Remote code execution – Moderately Critical – CVE-2017-6381

Fixed by

Editor module incorrectly checks access to inline private files – Drupal 8 – Access Bypass – Critical – CVE-2017-6377

Some admin paths were not protected with a CSRF token – Drupal 8 – Cross Site Request Forgery – Moderately Critical – CVE-2017-6379

Remote code execution – Drupal 8 – Remote code execution -Moderately Critical – CVE-2017-6381

Updates

Updated the above text to link to the correct update directions.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Description

Inconsistent name for term access query (Less critical – Drupal 7 and Drupal 8)

Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module’s access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. Otherwise information on taxonomy terms might have been disclosed to unprivileged users.

Incorrect cache context on password reset page (Less critical – Drupal 8)

The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page.

Confirmation forms allow external URLs to be injected (Moderately critical – Drupal 7)

Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.

Denial of service via transliterate mechanism (Moderately critical – Drupal 8)

A specially crafted URL can cause a denial of service via the transliterate mechanism.

CVE identifier(s) issued

  • Inconsistent name for term access query: CVE-2016-9449
  • Incorrect cache context on password reset page: CVE-2016-9450
  • Confirmation forms allow external URLs to be injected: CVE-2016-9451
  • Denial of service via transliterate mechanism: CVE-2016-9452

Versions affected

  • Drupal core 7.x versions prior to 7.52
  • Drupal core 8.x versions prior to 8.2.3

Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Inconsistent name for term access query:

Incorrect cache context on password reset page:

Confirmation forms allow external URLs to be injected:

Denial of service via transliterate mechanism:

Fixed by

Inconsistent name for term access query:

Incorrect cache context on password reset page:

Confirmation forms allow external URLs to be injected:

Denial of service via transliterate mechanism:

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Description

Users without “Administer comments” can set comment visibility on nodes they can edit. (Less critical)

Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

Cross-site Scripting in http exceptions (critical)

An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception

Full config export can be downloaded without administrative permissions (critical)
The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

CVE identifier(s) issued

  • Users without “Administer comments” can set comment visibility on nodes they can edit: CVE-2016-7570
  • Cross-site Scripting in http exceptions: CVE-2016-7571
  • Full config export can be downloaded without administrative permissions: CVE-2016-7572

Versions affected

8.x

Solution

Upgrade to Drupal 8.1.10

Reported by

Users without “Administer comments” can set comment visibility on nodes they can edit.

XSS in http exceptions

Full config export can be downloaded without administrative permissions

Fixed by

Users without “Administer comments” can set comment visibility on nodes they can edit.

XSS in http exceptions

Full config export can be downloaded without administrative permissions

Coordinated by

The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: