Thursday, April 20, 2017

Drupal vulnerability spotted

The Drupal security team has discovered a critical vulnerability in a third-party module named References.
The Drupal team published a Security advisory on April 12 informing its users of the critical flaw.
The flaw has a huge impact on the Drupal community because the affected module is currently used by more than 121,000 websites.


“The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately, a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38:
Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.
” states Drupal.
The References module allows users to add references between nodes for more complex information architectures.
The module was initially flagged by the Drupal development team as unsupported, its last update was provided in February 2013.
The good news for References users is that, on April 14, the Drupal security team announced it was assigned to a new maintainer.
“2017-04-14 – A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated.” reads the advisory.
A few days later, on April 18 the problem has been fixed with the release of references 7.x-2.2.
References module
The Drupal security team did not disclose the technical details about the vulnerability in order to avoid the exploitation of the flaw in the wild. Unfortunately, it will very difficult to upgrade websites heavily using the Reference module.

0 comments:

Post a Comment