Drupal core Access bypass

2024-05-1520:44:16

Google

osv.dev

drupal

core

media library

security

vulnerability

upgrade

mitigate

software

7 High

AI Score

Confidence

Low

JSON

The Media Library module has a security vulnerability whereby it doesn’t sufficiently restrict access to media items in certain configurations.

Solution:
If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.
If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the “Enable advanced UI” checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)

CPENameOperatorVersion
drupal/coreeq8.4.0
drupal/coreeq8.7.0-alpha2
drupal/coreeq8.6.0-rc1
drupal/coreeq8.4.5
drupal/coreeq8.5.8
drupal/coreeq8.2.3
drupal/coreeq8.1.2
drupal/coreeq8.4.8
drupal/coreeq8.5.3
drupal/coreeq8.6.14

Name	Operator	Version
drupal/core	eq	8.4.0
drupal/core	eq	8.7.0-alpha2
drupal/core	eq	8.6.0-rc1
drupal/core	eq	8.4.5
drupal/core	eq	8.5.8
drupal/core	eq	8.2.3
drupal/core	eq	8.1.2
drupal/core	eq	8.4.8
drupal/core	eq	8.5.3
drupal/core	eq	8.6.14

Rows per page:

1-10 of 1211

References

github.com/drupal/core

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2019-12-18-3.yaml

www.drupal.org/sa-core-2019-011

7 High

AI Score

Confidence

Low

JSON