Vulnerability from drupal
Published
2023-08-23 14:51
Modified
2023-08-23 18:45
Summary
Details

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.

This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.

Known client modules include:

  • Forum Access
  • Flexi Access
  • Content Access

Coordinated Security Advisories are being released for those client modules that have Security coverage.

Credits
Drew Webber www.drupal.org/user/255969
Samuel Mortenson www.drupal.org/user/2582268
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.0.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/acl"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.0.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/255969"
      ],
      "name": "Drew Webber"
    },
    {
      "contact": [
        "https://www.drupal.org/user/2582268"
      ],
      "name": "Samuel Mortenson"
    }
  ],
  "details": "The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.\n\nThe module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.\n\nAs this is an API module, it is only exploitable if a \"client\" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker typically needs an \"admin\"-type permission provided by one of ACL\u0027s client modules.\n\nKnown client modules include:\n\n* Forum Access\n* Flexi Access\n* Content Access\n\nCoordinated Security Advisories are being released for those client modules that have Security coverage.",
  "id": "DRUPAL-CONTRIB-2023-034",
  "modified": "2023-08-23T18:45:47.000Z",
  "published": "2023-08-23T14:51:16.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2023-034"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.