==================================================================== CERT-Renater Note d'Information No. 2019/VULN220 _____________________________________________________________________ DATE : 18/07/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Drupal core versions 8.7.4. ===================================================================== https://www.drupal.org/sa-core-2019-008 _____________________________________________________________________ Drupal core - Critical - Access bypass - SA-CORE-2019-008 Project: Drupal core Date: 2019-July-17 Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability: Access bypass CVE IDs: CVE-2019-6342 Description: In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected. Solution: If the site is running Drupal 8.7.4, upgrade to Drupal 8.7.5. Note, manual step needed. For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well. Reported By: Dave Botsch Fixed By: Michael Hess of the Drupal Security Team Jess of the Drupal Security Team Greg Knaddison of the Drupal Security Team Chris McCafferty of the Drupal Security Team Neil Drumm of the Drupal Security Team Alex Pott of the Drupal Security Team Andrei Mateescu ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================