======================================================================

                              CERT-Renater

                   Note d'Information No. 2024/VULN245
_____________________________________________________________________

DATE                : 16/05/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running RESTful Web Services for Drupal
                                 versions prior to 7.x-2.10,
                       REST Views for Drupal versions prior to 3.0.1.

=====================================================================
https://www.drupal.org/sa-contrib-2024-019
https://www.drupal.org/sa-contrib-2024-018
_____________________________________________________________________

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019
Project: RESTful Web Services
Date: 2024-May-15
Security risk: Critical 16∕25 AC:None/A:None/CI:Some/II:None/E:Proof/TD:All
Vulnerability: Access bypass


Description:
This module exposes Drupal resources (e.g. entities) as RESTful web
services.

The module doesn't sufficiently restrict access for user resources.
Solution:
Install the latest version:

     If you use the RESTful Web Services module for Drupal 7, upgrade
to RESTful Web Services 7.x-2.10

Reported By:
     Fran Garcia-Linares

Fixed By:
     Neil Drumm of the Drupal Security Team
     Fran Garcia-Linares

Coordinated By:
     Neil Drumm of the Drupal Security Team

_____________________________________________________________________

REST Views - Moderately critical - Information Disclosure -
      SA-CONTRIB-2024-018
Project: REST Views

Date: 2024-April-24

Security risk: Moderately critical 14∕25 
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability: Information Disclosure

Affected versions: <3.0.1


Description:
The Rest views module lets site admins create rest exports in views
with additional options for serializing data.

This module does not accurately check access and may expose paths
to unpublished content.

This vulnerability is mitigated by the fact that there must be a
specific content structure to expose.

Paths to unpublished entities (such as nodes) will be exposed if
those entities are referenced from other entities listed in a REST
display, and the reference field on those listed entities is
displayed with the "Entity path" formatter.


Solution:
Install the latest version:

     REST Views 8.x-1.x versions are unsupported.
     REST Views 2.x versions upgrade to Rest Views 3.0.1
     REST Views 3.x versions prior to 3.0.1 upgrade to
             Rest Views 3.0.1

Reported By:
     nicxvan

Fixed By:
     nicxvan

Coordinated By:
     Benji Fisher of the Drupal Security Team
     Greg Knaddison of the Drupal Security Team
     Cathy Theys of the Drupal Security Team


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================