===================================================================                              CERT-Renater

                   Note d'Information No. 2023/VULN046

_____________________________________________________________________

DATE                : 02/02/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apigee Edge for Drupal versions
                                 prior to 2.0.8, 8.x-1.x,
                   Media Library Form API Element for Drupal versions
                                 prior to 2.0.6,
                      Media Library Block for Drupal versions prior
                                   to 1.0.4,
                  Entity Browser for Drupal versions prior to 8.x-2.9,
          Private Taxonomy Terms for Drupal versions prior to 8.x-2.6.

====================================================================https://www.drupal.org/sa-contrib-2023-005
https://www.drupal.org/sa-contrib-2023-004
https://www.drupal.org/sa-contrib-2023-003
https://www.drupal.org/sa-contrib-2023-002
https://www.drupal.org/sa-contrib-2023-001
_____________________________________________________________________

Apigee Edge - Moderately critical - Access bypass -
SA-CONTRIB-2023-005


Project: Apigee Edge
Date: 2023-February-01
Security risk:
Moderately critical 13∕25 
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All

Vulnerability: Access bypass


Description:

The Apigee Edge module allows connecting a Drupal site to
Apigee X / Edge in order to build a developer portal.

Previous module versions did not support entity query level
access checking, which could have led to information
disclosure or access bypass in various places.


Solution:

Install the latest version:

     If you use the Apigee Edge module version 2.0.x
for Drupal 9.x, upgrade to Apigee Edge 2.0.8
     If you use the Apigee Edge module version 8.x-1.x
for Drupal 9.x, upgrade to Apigee Edge 8.x-1.27


Reported By:

     Dezső Biczó


Fixed By:

     Dezső Biczó
     Shishir Suvarna


Coordinated By:

     Greg Knaddison of the Drupal Security Team

_____________________________________________________________________

Media Library Form API Element - Moderately critical - Information
Disclosure - SA-CONTRIB-2023-004

Project:
Media Library Form API Element

Version:
8.x-1.3
8.x-1.2
8.x-1.1

Date:
2023-January-18

Security risk:
Moderately critical 13∕25 
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All

Vulnerability:
Information Disclosure

Affected versions:
 > =2.0 <2.0.6


Description:

This module enables you to use the media library in custom
forms without the Media Library Widget.

The module does not properly check entity access in some
circumstances. This may result in users with access to edit
content seeing metadata about media items they are not
authorized to access.

The vulnerability is mitigated by the fact that the
inaccessible media will only be visible to users who
can already edit content that includes a media reference
field.


Solution:

Install the latest version:

     If you use the Media Library Form API Element module
versions 2.x for Drupal 9 or 10, upgrade to 2.0.6.
     If you use the Media Library Form API Element module
version 8.x-1.* they are all affected and are no longer
supported. You should upgrade to 2.0.6.


Reported By:

     Benji Fisher of the Drupal Security Team
     Dan Flanagan


Fixed By:

     Kim Kennof
     Lauri Eskola
     Alex Bronstein of the Drupal Security Team
     Luke Leber
     Lee Rowlands of the Drupal Security Team


Coordinated By:

     xjm of the Drupal Security Team
     Lee Rowlands of the Drupal Security Team
     Benji Fisher of the Drupal Security Team


_____________________________________________________________________

Media Library Block - Moderately critical - Information Disclosure
- SA-CONTRIB-2023-003

Project: Media Library Block
Date: 2023-January-18
Security risk:
Moderately critical 14∕25 
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability: Information Disclosure
Affected versions: >=1.0 <1.0.4


Description:

The Media Library Block module allows you to render a media entity
in a block.

The module does not properly check media access in some
circumstances. This may result in unauthorized users (including
anonymous users) seeing media items they are not authorized to
access if a block containing a restricted media item is placed
on the page.

Administrators may mitigate this vulnerability by removing blocks
referencing media items that have access restrictions.


Solution:

Install the latest version:

     If you use the Media Library Block module for Drupal 9 or
10, upgrade to Media Library Block 1.0.4.


Reported By:

     Lee Rowlands of the Drupal Security Team
     Dan Flanagan


Fixed By:

     ayalon
     xjm of the Drupal Security Team
     Jan Hug
     Dan Flanagan


Coordinated By:

     Dave Reid of the Drupal Security Team
     Damien McKenna of the Drupal Security Team


_____________________________________________________________________

Entity Browser - Moderately critical - Information Disclosure
- SA-CONTRIB-2023-002

Project: Entity Browser
Date: 2023-January-18
Security risk:
Moderately critical 12∕25 
AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability: Information Disclosure


Description:

The Entity Browser module allows you to select entities from
entity reference fields using a custom entity browser widget.

Entity Browser does not properly check entity access in some
circumstances. This may result in users with access to edit
content seeing metadata about entities they are not authorized
to access.

The vulnerability is mitigated by the fact that the inaccessible
entities will only be visible to users who can already edit
content using Entity Browser.


Solution:

Install the latest version:

     If you use the Entity Browser module for Drupal 9 or 10,
upgrade to Entity Browser 8.x-2.9.


Reported By:

     Lee Rowlands of the Drupal Security Team


Fixed By:

     Lee Rowlands of the Drupal Security Team
     Sascha Grossenbacher
     Benji Fisher of the Drupal Security Team
     xjm of the Drupal Security Team
     Lauri Eskola, provisional member of the Drupal Security Team
     Dan Flanagan


Coordinated By:

     xjm of the Drupal Security Team
     Lee Rowlands of the Drupal Security Team
     Benji Fisher of the Drupal Security Team

_____________________________________________________________________

Private Taxonomy Terms - Moderately critical - Access bypass -
SA-CONTRIB-2023-001

Project: Private Taxonomy Terms
Date: 2023-January-11
Security risk:
Moderately critical 10∕25 
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Access bypass

Description:

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the
taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker
must have a role with the permission "Administer own taxonomy"
or "View private taxonomies"


Solution:

Install the latest version:

     If you use the Private Taxonomy Terms module for Drupal
8.x, upgrade to Private Taxonomy Terms 8.x-2.6


Reported By:

     Giuseppe


Fixed By:

     Conrad Lara
     Giuseppe


Coordinated By:

     Damien McKenna of the Drupal Security Team
     xjm of the Drupal Security Team
     Greg Knaddison of the Drupal Security Team


========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================