As BSI now reviews, the vulnerability has been recognized in Drupal extensions. You can learn the outline of the safety vulnerability and the record of affected working methods and merchandise right here.
Federal workplace for Security in Information Technology (BSI) reported a safety advisory for Drupal extensions on May 22, 2024. The software program incorporates a number of vulnerabilities that make it attainable to assault. The working methods Linux, UNIX and Windows in addition to the open supply product Drupal are affected by the safety hole.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability may be discovered right here: Drupal Security-news SA-CONTRIB-2024-021 (From 22 May 2024). Some helpful sources are listed later on this article.
Multiple vulnerabilities have been reported for Drupal extensions – Risk: average
Risk degree: 3 (average)
CVSS Base Score: 7.3
CVSS provisional rating: 6,4
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the severity of vulnerabilities in laptop methods. The CVSS commonplace makes it attainable to match potential or precise safety dangers based mostly on numerous metrics to be able to prioritize countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, consumer interplay) and its outcomes. For momentary impact, body situations that will change over time are thought-about within the take a look at. According to CVSS, the danger of the vulnerability mentioned right here is evaluated as “inside” with a base rating of seven.3.
Drupal Extensions Bug: Summary of present vulnerabilities
Drupal is a free content material administration system based mostly on the PHP scripting language and an SQL database. The vary of capabilities of the principle set up may be expanded individually utilizing a number of extensions.
A distant attacker can exploit a number of vulnerabilities in numerous Drupal extensions to bypass safety measures or expose delicate data.
Systems affected by the safety hole at a look
Operating methods
Linux, UNIX, Windows
Products
Open Source Drupal Email Contact Open Source Drupal Commerce View Receipt
General suggestions for coping with IT vulnerabilities
- Users of affected methods ought to keep up-to-date. When safety holes are identified, producers are required to repair them shortly by growing a patch or workaround. If safety patches can be found, set up them instantly.
- For data, see the sources listed within the subsequent part. This usually incorporates further details about the newest model of the software program in query and the provision of safety patches or efficiency ideas.
- If you’ve got any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to recurrently verify the required sources to see if a brand new safety replace is on the market.
Sources for updates, patches and workarounds
Here you’ll find some hyperlinks with details about bug reviews, safety fixes and workarounds.
Drupal Security-news SA-CONTRIB-2024-021 vom 2024-05-22 (22.05.2024)
For extra data, see:
Drupal Security-news SA-CONTRIB-2024-020 vom 2024-05-22 (22.05.2024)
For extra data, see:
Version historical past of this safety alert
This is the primary model of this IT safety discover for Drupal extensions. If updates are introduced, this doc might be up to date. You can examine adjustments or additions on this model historical past.
May 22, 2024 – First model
+++ Editorial observe: This doc relies on present BSI information and might be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
observe News.de you’re right here Facebook, Twitter, Pinterest once more YouTube? Here you’ll find sizzling information, present movies and a direct line to the editorial crew.
kns/roj/information.de