Drupal core Access control bypass

2024-05-1521:00:34

GitHub Advisory Database

github.com

drupal

media library

security vulnerability

access control

upgrade

7 High

AI Score

Confidence

Low

JSON

The Media Library module has a security vulnerability whereby it doesn’t sufficiently restrict access to media items in certain configurations.

Solution:

If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.
If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the “Enable advanced UI” checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)

Affected configurations

Vulners

Node

drupaldrupalRange<8.8.1

drupaldrupalRange<8.7.11

CPENameOperatorVersion
drupal/drupallt8.8.1
drupal/drupallt8.7.11

CPE	Name	Operator	Version
	drupal/drupal	lt	8.8.1
	drupal/drupal	lt	8.7.11

References

github.com/advisories/GHSA-5x28-3f32-x523

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-3.yaml

www.drupal.org/sa-core-2019-011

7 High

AI Score

Confidence

Low

JSON