Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-032

Project: Group
Version: 8.x-1.x-dev
Date: 2020-August-05
Security risk: Moderately critical 12∕25 
Vulnerability: Information disclosure

Description

The Group module enables you to hand out permissions on a smaller subset, section or community of your website.

With the 1.1 security release, new code was introduced to ensure proper access for all entity types, but a mistake introduced unexpected access to unpublished nodes.

Solution

Install the latest version:

If you are using 8.x-1.0 or later, you should upgrade to 8.x-1.2.
If you are using 8.x-1.0-rc5, that version is not affected by this issue. You can also consider upgrading to 8.x-1.2.