1089819 – (CVE-2014-2983) CVE-2014-2983 drupal: information disclosure flaw in form API

Bug 1089819 (CVE-2014-2983) - CVE-2014-2983 drupal: information disclosure flaw in form API

Summary: CVE-2014-2983 drupal: information disclosure flaw in form API

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-2983
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1089820 1089822 1089823 1089825 1089827
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-22 04:01 UTC by Murray McAllister
Modified:	2021-02-17 06:38 UTC (History)
CC List:	13 users (show)
Fixed In Version:	drupal 6.31, drupal 7.27
Clone Of:
Environment:
Last Closed:	2014-05-05 01:51:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description Murray McAllister 2014-04-22 04:01:24 UTC

The Drupal SA-CORE-2014-002 advisory fixes the following issue:

""
Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.

When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.

This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.

Note: This security release introduces small API changes which may require code updates on sites that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached (either by Drupal or by an external system). See the Drupal 6.31 release notes and Drupal 7.27 release notes for more information.
""

This issue is corrected in versions 6.31 and 7.27 (these versions are currently in Fedora and EPEL testing).

External References:

https://drupal.org/SA-CORE-2014-002

Comment 2 Murray McAllister 2014-04-22 04:03:46 UTC

Created drupal7 tracking bugs for this issue:

Affects: fedora-all [bug 1089823]
Affects: epel-all [bug 1089825]

Comment 3 Murray McAllister 2014-04-22 04:03:51 UTC

Created drupal6 tracking bugs for this issue:

Affects: fedora-all [bug 1089820]
Affects: epel-all [bug 1089822]

Comment 4 Peter Borsa 2014-05-03 10:23:53 UTC

The updated drupal6 and drupal7 packages can be found in stable repositories but I don't know what is that bug(1089827) because I cannot see it since I get "Access Denied; You are not authorized to access bug #1089827."

So, can we close this bug or should we do anything else?

PS: Jon Ciesla updated drupal packages.

Comment 5 Murray McAllister 2014-05-05 01:51:44 UTC

(In reply to Peter Borsa from comment #4)
> The updated drupal6 and drupal7 packages can be found in stable repositories
> but I don't know what is that bug(1089827) because I cannot see it since I
> get "Access Denied; You are not authorized to access bug #1089827."
> 
> So, can we close this bug or should we do anything else?
> 
> PS: Jon Ciesla updated drupal packages.

It can be closed now, thanks for the notification.

bug 1089827 is for OpenShift Online, it can be ignored.

Note You need to log in before you can comment on or make changes to this bug.