SA-CONTRIB-2013-049 - Node access user reference - Access Bypass

This module allows different access permissions to be given to authors, referenced users and non-referenced users.

When an author has created content containing a user reference field (with author update/delete grants enabled) and the author’s user account is later deleted, content created by them can be edited by anonymous users.

CVE identifier(s) issued

• CVE-2013-2123

Versions affected

• nodeaccess_userreference 6.x-3.x versions prior to 6.x-3.5.
• nodeaccess_userreference 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Node access user reference module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the nodeaccess_userreference module for Drupal 6.x, upgrade to nodeaccess_userreference 6.x-3.5
• If you use the nodeaccess_userreference module for Drupal 7.x, upgrade to nodeaccess_userreference 7.x-3.10

Also see the Node access user reference project page.

Reported by

• Jamie Wiseman

Fixed by

• Jamie Wiseman
• Dan Smith provisional member of the Drupal Security Team
• Chris Hales and Greg Knaddison of the Drupal Security Team

Coordinated by

• Dan Smith provisional member of the Drupal Security Team