====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN166
_____________________________________________________________________

DATE                : 18/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Fast Autocomplete for Drupal
                       versions 8.x, 9.x prior to 8.x-1.8.

=====================================================================
https://www.drupal.org/sa-contrib-2021-005
_____________________________________________________________________

Fast Autocomplete - Moderately critical - Access bypass -
SA-CONTRIB-2021-005

Project: Fast Autocomplete
Version: 8.x-1.7
         8.x-1.6
         8.x-1.5
         8.x-1.4
         8.x-1.3
         8.x-1.2
         8.x-1.1
         8.x-1.0

Date:    2021-March-17
Security risk:
Moderately critical 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability: Access bypass


Description:

The Fast Autocomplete module provides fast IMDB-like suggestions below a
text input field. Suggestions are stored as JSON files in the public
files folder so that they can be provided to the browser relatively fast
without the need for Drupal to be bootstrapped.

The module doesn't correctly generate certain hashes when the
configuration option "Perform search as anonymous user only" is switched
from the default on value to off.

This enables a malicious user to read search results generated by users
with other roles, disclosing search results the user normally has no
access to.


Solution:

Install the latest version:

    If you use the Fast Autocomplete module for Drupal 8.x or 9.x,
upgrade to Fast Autocomplete 8.x-1.8

Alternatively, re-enable the setting "Perform search as anonymous user
only" to only display anonymous search results and delete the generated
files by using the "Delete json files" option in all Fast Autocomplete
configurations.


Fast Autocomplete for Drupal 7.x is not affected.


Reported By:

    Heine Deelstra of the Drupal Security Team


Fixed By:

    Heine Deelstra of the Drupal Security Team
    Martijn Vermeulen


Coordinated By:

    Heine Deelstra of the Drupal Security Team


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================