Skip to content

Drupal core Access control bypass

Moderate severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024

Package

composer drupal/drupal (Composer)

Affected versions

>= 8.0.0, < 8.7.11
>= 8.8.0, < 8.8.1

Patched versions

8.7.11
8.8.1

Description

The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations.

Solution:

If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11.
If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1.
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)

References

Published to the GitHub Advisory Database May 15, 2024
Reviewed May 15, 2024
Last updated May 15, 2024

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-5x28-3f32-x523

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.