SB2019121901 - Multiple vulnerabilities in Drupal

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to absent access restrictions to the install.php script. A remote unauthenticated attacker can access the install.php script and corrupt cached data that will lead to website inaccessibility.

2) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass imposed security restrictions.

The vulnerability exists due to insufficient validation of user-supplied file names during upload in the file_save_upload() function that does not strip the leading and trailing dot ('.') from filenames. A remote attacker with ability to download files can upload system files such as .htaccess and bypass imposed security restrictions.

3) Arbitrary file upload (CVE-ID: N/A)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to usage of vulnerable Archive_Tar library. If Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads, a remote attacker can upload and execute arbitrary PHP code on the system.

4) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Media Library module. A remote attacker can bypass implemented security restrictions and gain unauthorized access to media items in certain configurations.

Remediation

Install update from vendor's website.

References

• https://www.drupal.org/sa-core-2019-009
• https://www.drupal.org/sa-core-2019-010
• https://www.drupal.org/sa-core-2019-012
• https://www.drupal.org/sa-core-2019-011