Multiple security advisories are issued for Drupal 7, 8, 9 core and contributed modules: SA-CORE-2020-012, SA-CONTRIB-2020-035, SA-CONTRIB-2020-036, SA-CONTRIB-2020-037, SA-CONTRIB-2020-038

Multiple security advisories are issued for Drupal 7, 8, 9 core and contributed modules: SA-CORE-2020-012, SA-CONTRIB-2020-035, SA-CONTRIB-2020-036, SA-CONTRIB-2020-037, SA-CONTRIB-2020-038

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Project: Media: oEmbed
Date: 2020-November-18
Security risk: Critical 17∕25 
Vulnerability: Remote Code Execution

Description

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012.

Solution

Install the latest version:

Upgrade to Media oEmbed 7.x-2.8

Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037

Project: Ink Filepicker
Date: 2020-November-18
Security risk: Critical 17∕25 
Vulnerability: Unsupported

Description

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.

It looks like the 3rd party service that this module integrates with may have been retired.

If you would like to maintain this project nevertheless, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Project: Drupal core
Date: 2020-November-18
Security risk: Critical 17∕25 
Vulnerability: Remote code execution
CVE IDs: CVE-2020-13671

Description

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

Solution

Install the latest version:

If you are using Drupal 9.0, update to Drupal 9.0.8
If you are using Drupal 8.9, update to Drupal 8.9.9
If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11
If you are using Drupal 7, update to Drupal 7.74

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by another extension:

  • phar
  • php
  • pl
  • py
  • cgi
  • asp
  • js
  • html
  • htm

(Note that the list is not exhaustive.)

SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038

Project: SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider
Date: 2020-November-18
Security risk: Critical 16∕25 
Vulnerability: Access bypass

Description

This module enables your users residing at a SAML 2.0 compliant Identity Provider to login to your Drupal website.

The module has two Authentication Bypass vulnerabilities.

Solution

Install the latest version:

If you use the miniorange_saml module for Drupal 8.x, upgrade to miniorange_saml 8.x-2.14
If you use the miniorange_saml module for Drupal 7.x, upgrade to miniorange_saml 7.x-2.54

Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035

Project: Examples for Developers
Date: 2020-November-18
Security risk: Critical 17∕25 
Vulnerability: Remote Code Execution

Description

The File Example submodule within the Examples project does not properly sanitize certain filenames as described in SA-CORE-2020-012, along with other related vulnerabilities.

Therefore, File Example so is being removed from Examples until a version demonstrating file security best practices can added back in the future.

Solution

Any sites that have File Example submodule installed should uninstall it immediately

Then, install the latest version of Examples:

If you use Examples 3 (Drupal 9-compatible), upgrade to Examples 3.0.2
If you use the Examples module's 8.x-1.x branch, upgrade to Examples 8.x-1.1

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.