A critical vulnerability in the Drupal Core engine was addressed in an update released Wednesday.
Drupal engineers are calling it an access bypass vulnerability and said a Drupal-based website is vulnerable only under certain conditions, including whether a site has the RESTful Web Services module enabled, whether it allows PATCH requests, and whether an attacker gets access to or registers a user account on such a site.
“The site is more likely to be vulnerable if an attacker can create or get access to a user account,” Drupal said in a FAQ published today. “There are some other, less common exploit vectors that require a site to have weak permissions allowing an anonymous user to perform actions typically reserved for authenticated users.”
Version 8 of the content management system prior to 8.2.8 and 8.31 is affected; Drupal 7.x is not affected, the advisory said.
“While we don’t normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely,” the advisory said.
Drupal also recommends that user registration be disabled if it’s not critical to the organization.
“User registration should be disabled if it is not important to a site, and anonymous or untrusted users should be given only the minimum permissions that are appropriate for the site’s needs,” Drupal said. “Sites should also make it more difficult for an attacker to otherwise gain access to a more privileged account.”
Drupal recommends sites running on 8.2.7 or earlier be upgraded to 8.2.8, and sites running 8.3.0 be upgraded to 8.3.1.
“Drupal core 8.1 reached its end-of-life more than six months ago, and 8.0 has been past its end-of-life for a year,” Drupal said. “There are other disclosed security vulnerabilities that also affect 8.0 and 8.1, so anyone who has a site based on these should update as soon as they can.”
In March, a maintenance release for the Drupal Core was made available, and it included a number of security fixes, including a remote code execution vulnerability in an unnamed third-party development library integrated into Drupal 8.
The March update also patched an access bypass flaw. Drupal said that its editor module would not check access for private files added via text editors such as CKEditor.
Finally, a cross-site request forgery flaw in some administrative paths was also patched in March. Those paths, Drupal said, were lacking CSRF protections; an attacker could in turn disable some of those blocks.
Before March, there hadn’t been a security update for Drupal since last fall. In November, cache poisoning and denial of service vulnerabilities were patched in the core engine, while in September, three bugs were addressed, including cross-site scripting vulnerability, an issue where an attacker could download a system configuration report without authorization, and an issue around permissions for comments administration on a Drupal site.
This article was updated April 20 with additional comments from Drupal.