==================================================================== CERT-Renater Note d'Information No. 2021/VULN343 _____________________________________________________________________ DATE : 01/07/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Block Content Revision UI for Drupal versions prior to 2.127.2, Linky Revision UI for Drupal versions prior to 2.127.2, Apigee Edge for Drupal versions prior to 8.x-1.12. ===================================================================== https://www.drupal.org/sa-contrib-2021-022 https://www.drupal.org/sa-contrib-2021-021 https://www.drupal.org/sa-contrib-2021-020 _____________________________________________________________________ Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022 Project: Block Content Revision UI Date: 2021-June-30 Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Access bypass Description: This module provides a revision UI for Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Block Content Revision UI, and another affected module must be enabled. Solution: Install the latest version: If you use the Block Content Revision UI module for Drupal 8.x, upgrade to Block Content Revision UI 2.127.2 Reported By: Adam Fixed By: Adam Michael Strelan Coordinated By: Greg Knaddison of the Drupal Security Team Damien McKenna of the Drupal Security Team _____________________________________________________________________ Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021 Project: Linky Revision UI Date: 2021-June-30 Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon Vulnerability: Access bypass Description: This module provides a revision UI for Linky entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided by Linky Revision UI, and another affected module must be enabled. Solution: Install the latest version: If you use the Linky Revision UI module for Drupal 8.x, upgrade to Linky Revision UI 2.127.2 Reported By: Adam Fixed By: Adam Michael Strelan Coordinated By: Greg Knaddison of the Drupal Security Team Damien McKenna of the Drupal Security Team _____________________________________________________________________ Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020 Project: Apigee Edge Date: 2021-June-30 Security risk: Moderately critical 11∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. The module did not properly validate user access for data creation in certain circumstances. Solution: Install the latest version: If you use the apigee_edge module for Drupal 8.x, upgrade to Apigee Edge module 8.x-1.2 or later. Note that the 8.x-1.2 release is old and superseded due to SA-CONTRIB-2020-028. Users of the module should upgrade to a version including or newer than 8.x-1.12. Reported By: trebde Fixed By: trebde gitesh.koli Coordinated By: Greg Knaddison of the Drupal Security Team Damien McKenna of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================