Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2012-101

HistoryJun 13, 2012 - 12:00 a.m.

SA-CONTRIB-2012-101 - Protected Node - Access Bypass

2012-06-1300:00:00

Drupal Security Team

www.drupal.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.013 Low

EPSS

Percentile

86.2%

JSON

The Protected Node module enables users to use a password to restrict access to an individual node or all nodes of a node type.

The module doesn’t sufficiently protect node access when nodes are accessed outside of the standard node view (i.e. node/1 is protected but other lists are not).

CVE: CVE-2012-2730

Versions affected

Protected node 6.x-1.x versions prior to 6.x-1.6.

Drupal core is not affected. If you do not use the contributed Protected node module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Protected node module for Drupal 6.x, upgrade to Protected node 6.x-1.6

Also see the Protected node project page.

Reported by

Martin Barbella

Fixed by

Alexis Wilke the module maintainer

Coordinated by

Greg Knaddison of the Drupal Security Team
Michael Hess of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/protected_node

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/102818

drupal.org/user/356197

drupal.org/user/36762

drupal.org/user/633600

drupal.org/writing-secure-code

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.013 Low

EPSS

Percentile

86.2%

JSON

Related for DRUPAL-SA-CONTRIB-2012-101