Bug 1643121

Summary: drupal: Multiple Vulnerabilities - SA-CORE-2018-006
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: gwync, hello, jsmith.fedora, shawn, stickster
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: drupal 7.60, drupal 8.6.2, drupal 8.5.8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-21 13:45:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1643122, 1643123, 1643124    
Bug Blocks:    

Description Andrej Nemec 2018-10-25 14:22:07 UTC 
Multiple issues were reported in the latest drupal security advisory.

1. Content moderation - Moderately critical - Access bypass - Drupal 8

In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.

2. External URL injection through URL aliases - Moderately Critical - Open Redirect - Drupal 7 and Drupal 8

The path module allows users with the 'administer paths' to create pretty URLs for content.

In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.

3. Anonymous Open Redirect - Moderately Critical - Open Redirect - Drupal 8

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

4. Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution - Drupal 7 and Drupal 8

When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.

5. Contextual Links validation - Critical - Remote Code Execution - Drupal 8

The Contextual Links module doesn't sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access contextual links".

External References:

https://www.drupal.org/sa-core-2018-006
Comment 1 Andrej Nemec 2018-10-25 14:22:41 UTC 
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1643124]
Affects: fedora-all [bug 1643122]


Created drupal8 tracking bugs for this issue:

Affects: fedora-all [bug 1643123]
Comment 2 Fedora Update System 2019-03-12 21:47:49 UTC 
drupal6-6.38-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Shawn Iwinski 2019-03-21 03:24:34 UTC 
All dependent bugs have been closed.  Can this tracking bug be closed?