Drupal Warns of Important Excessive Severity Vulnerability

Drupal Warns of Critical High Severity Vulnerability

Drupal issued two safety advisories warning of a vulnerabilities affecting a number of variations of Drupal that would permit an attacker to entry delicate info.

There are two vulnerabilities at the moment affecting Drupal. One is rated as a excessive severity essential vulnerability.

Vulnerability in Third Celebration Library

Drupal makes use of a 3rd get together templating engine known as Twig.

In accordance with Drupal documentation:

“When your net web page renders, the Twig engine takes the template and converts it right into a ‘compiled’ PHP template which is saved in a protected listing…”

The Twig library is utilized by Drupal for templating but additionally for a course of known as sanitization, which is a strategy to forestall malicious recordsdata from being uploaded.

Twig describes the vulnerabilities as one that enables an attacker to make use of the filesystem loader to entry delicate recordsdata.

Drupal warns:

“A number of vulnerabilities are attainable if an untrusted consumer has entry to write down Twig code, together with potential unauthorized learn entry to personal recordsdata, the contents of
different recordsdata on the server, or database credentials.”

This vulnerability impacts customers of Drupal 9.3 and 9.4.

Advisable Course of Motion for Mitigating Vulnerability

Customers of Drupal 9.3 are beneficial to replace to model 9.3.22.

Customers of Drupal 9.4 are suggested to replace to model 9.4.7.

Reasonable Vulnerability

Drupal additionally warned of an Entry Bypass vulnerability that’s rated as average affecting publishers that use the S3 File System module for Drupal 7.x.

An entry bypass vulnerability is one by which an attacker is ready to bypass authentication obstacles and entry to an utility and delicate recordsdata that they need to not
in any other case have entry to.

The vulnerability is described as:

“The module doesn’t sufficiently forestall file entry throughout a number of filesystem schemes saved in the identical bucket.”

The advisory notes that this vulnerability is mitigated by a number of steps that have to be taken earlier than an attacker can achieve entry.

The advisory explains:

“This vulnerability is mitigated by the truth that an attacker should get hold of a way to entry arbitrary file paths, the positioning should have public or non-public takeover enabled, and the file metadata cache have to be ignored.”

Advisable Course of Motion

Drupal customers who use the S3 File System module for Drupal 7.x are suggested to improve to S3 File System 7.x-2.14 to be able to patch the vulnerability.


Drupal core – Critical – Multiple vulnerabilities – SA-CORE-2022-016

S3 File System – Moderately critical – Access bypass – SA-CONTRIB-2022-057

Twig security release: Possibility to load a template outside a configured directory when using the filesystem loader

Featured picture by Shutterstock/Andrey_Popov


Source link

Leave A Comment



Our purpose is to build solutions that remove barriers preventing people from doing their best work.

Giza – 6Th Of October
(Sunday- Thursday)
(10am - 06 pm)

No products in the cart.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
  • Attributes
  • Custom attributes
  • Custom fields
Click outside to hide the comparison bar
Compare ×
Let's Compare! Continue shopping