Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3121
Drupal core
16 September 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Drupal core
Publisher: Drupal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13677 CVE-2020-13676 CVE-2020-13675
CVE-2020-13674 CVE-2020-13673
Original Bulletin:
https://www.drupal.org/sa-core-2021-06
https://www.drupal.org/sa-core-2021-07
https://www.drupal.org/sa-core-2021-08
https://www.drupal.org/sa-core-2021-09
https://www.drupal.org/sa-core-2021-10
Comment: This bulletin contains five (5) Drupal security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13673
Description:
The Drupal core Media module allows embedding internal and external media in
content fields. In certain circumstances, the filter could allow an
unprivileged user to inject HTML into a page when it is accessed by a trusted
user with permission to embed media. In some cases, this could lead to
cross-site scripting.
This advisory is not covered by Drupal Steward .
Also see Entity Embed - Moderately critical - Cross Site Request Forgery -
SA-CONTRIB-2021-028 which addresses a similar vulnerability for that module.
Updated 18:15 UTC to clarify text.
Solution:
Install the latest version:
o If you are using Drupal 9.2, update to Drupal 9.2.6 .
o If you are using Drupal 9.1, update to Drupal 9.1.13 .
o If you are using Drupal 8.9, update to Drupal 8.9.19 .
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are
end-of-life and do not receive security coverage.
Drupal 7 core is not affected.
Reported By:
o Aaron Zinck
Fixed By:
o Aaron Zinck
o Sean Blommaert
o Alex Bronstein of the Drupal Security Team
o Marcos Cano
o Lee Rowlands of the Drupal Security Team
o Adam G-H
o Jess of the Drupal Security Team
o Drew Webber of the Drupal Security Team
o Neil Drumm of the Drupal Security Team
o Brian Tofte-Schumacher
- ----------------------------------------------------------------------------------
Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13674
Description:
The QuickEdit module does not properly validate access to routes, which could
allow cross-site request forgery under some circumstances and lead to possible
data integrity issues.
Sites are only affected if the QuickEdit module (which comes with the Standard
profile) is installed. Removing the "access in-place editing" permission from
untrusted users will not fully mitigate the vulnerability.
This advisory is not covered by Drupal Steward .
Solution:
Install the latest version:
o If you are using Drupal 9.2, update to Drupal 9.2.6 .
o If you are using Drupal 9.1, update to Drupal 9.1.13 .
o If you are using Drupal 8.9, update to Drupal 8.9.19 .
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are
end-of-life and do not receive security coverage.
Drupal 7 core does not include the QuickEdit module and therefore is not
affected.
Uninstalling the QuickEdit module will also mitigate the vulnerability. Site
owners may wish to consider this option as the QuickEdit module will be removed
from core in Drupal 10 .
Reported By:
o Samuel Mortenson
Fixed By:
o Wim Leers
o Greg Knaddison of the Drupal Security Team
o Jess of the Drupal Security Team
o Lee Rowlands of the Drupal Security Team
o Vijay Mani
o Heine of the Drupal Security Team
o Alex Bronstein of the Drupal Security Team
o Adam G-H
o Drew Webber of the Drupal Security Team
o Theodore Biadala
- ----------------------------------------------------------------------------------
Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008
Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Access bypass
CVE IDs: CVE-2020-13675
Description:
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP
APIs. The modules do not correctly run all file validation, which causes an
access bypass vulnerability. An attacker might be able to upload files that
bypass the file validation process implemented by modules on the site.
This vulnerability is mitigated by three factors:
1. The JSON:API or REST File upload modules must be enabled on the site.
2. An attacker must have access to a file upload via JSON:API or REST.
3. The site must employ a file validation module.
This advisory is not covered by Drupal Steward .
Also see GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2021-029
which addresses a similar vulnerability for that module.
Solution:
Install the latest version:
o If you are using Drupal 9.2, update to Drupal 9.2.6 .
o If you are using Drupal 9.1, update to Drupal 9.1.13 .
o If you are using Drupal 8.9, update to Drupal 8.9.19 .
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are
end-of-life and do not receive security coverage.
Drupal 7 core is not affected.
Reported By:
o Klaus Purer
Fixed By:
o Klaus Purer
o Lee Rowlands of the Drupal Security Team
o Alex Pott of the Drupal Security Team
o Jess of the Drupal Security Team
o Samuel Mortenson
o Drew Webber of the Drupal Security Team
o Kim Pepper
- ----------------------------------------------------------------------------------
Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009
Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Access bypass
CVE IDs: CVE-2020-13676
Description:
The QuickEdit module does not properly check access to fields in some
circumstances, which can lead to unintended disclosure of field data.
Sites are only affected if the QuickEdit module (which comes with the Standard
profile) is installed.
This advisory is not covered by Drupal Steward .
Solution:
Install the latest version:
o If you are using Drupal 9.2, update to Drupal 9.2.6 .
o If you are using Drupal 9.1, update to Drupal 9.1.13 .
o If you are using Drupal 8.9, update to Drupal 8.9.19 .
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are
end-of-life and do not receive security coverage.
Drupal 7 core does not include the QuickEdit module and therefore is not
affected.
Uninstalling the QuickEdit module will also mitigate the vulnerability. Site
owners may wish to consider this option as the QuickEdit module will be removed
from core in Drupal 10 .
Reported By:
o Greg Watson
Fixed By:
o Greg Watson
o Wim Leers
o Jess of the Drupal Security Team
o Alex Bronstein of the Drupal Security Team
o Lee Rowlands of the Drupal Security Team
o Joseph Zhao
o Vijay Mani
o Adam G-H
o Drew Webber of the Drupal Security Team
- ----------------------------------------------------------------------------------
Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010
Project: Drupal core
Date: 2021-September-15
Security risk: Moderately critical
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: Access Bypass
CVE IDs: CVE-2020-13677
Description:
Under some circumstances, the Drupal core JSON:API module does not properly
restrict access to certain content, which may result in unintended access
bypass.
Sites that do not have the JSON:API module enabled are not affected.
This advisory is not covered by Drupal Steward .
Solution:
Install the latest version:
o If you are using Drupal 9.2, update to Drupal 9.2.6 .
o If you are using Drupal 9.1, update to Drupal 9.1.13 .
o If you are using Drupal 8.9, update to Drupal 8.9.19 .
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are
end-of-life and do not receive security coverage.
Drupal 7 core does not include the JSON:API module and therefore is not
affected.
Reported By:
o Brad Jones
Fixed By:
o Brad Jones
o Jess of the Drupal Security Team
o Bjorn Brala
o Gabe Sullice
o Mateu Aguilo Bosch
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYUKRXuNLKJtyKPYoAQgozQ/9HuZUCg/oKUoarznsovrlDWIeIyNIU6EH
wN4WBd39DJuxh9nFNsxS7x+ACamH4ZuRvncsAtxhH1lGCAIvjUcIIClUGiOcCOcZ
1HM6TsL6pR/FpspHzBAYHzg0OqgVPpM/+a0JFKDA+yZJzF81fyrGA3pcKEqUvmDb
nlFK5BcX0Ov27LbGFw4+HocyBcMw2iFa3GDTvjkbSxsGR+5uQu+rad3xELyPOJxf
RVZPzb55xkuJqNJJR3t2Qmrh/L5INg/UlPm/jXYt/rYcNIpOCoNLknGbeA6TNNOO
GBSgaczbOA+ZJX+tRVTLCb6PgU4/2d7xv8gSq1ScA2Y9lUDoQNIGI3KrzY5zidig
zE8HsOOF7AUH/1/mX4o1C9SDbbRrqLLfs7UX+DsFhNT3dJ2xM2bfg44VkBFJORTV
ZsXe5jgeA2ZKKdSKPKuGbN1PaZl3zji/IP3BpowQ+eDFh4EaFF2espiedscLbEYe
sY9PTgKzEAMxXdpPGC1J79/AM/hhDYPoDYJMy9DXYB+Z093wA70LfOwmyjC9sLDS
lYSrTveAqkxfaTImWE7dcxBwKivShLBt+DBG9aPbFD8LAECx21Xm6BYcN6ozHO7c
L9PLo05ByRyn0zwlxByU/UggKD0JYlckmYlEZsJahyo7Oif8xwizmd+mQQVCPd11
eSEsp1jEuac=
=SNVt
-----END PGP SIGNATURE-----