Multiple security advisories are issued for Drupal 7, 8, 9 core and contributed modules: SA-CORE-2020-012, SA-CONTRIB-2020-035, SA-CONTRIB-2020-036, SA-CONTRIB-2020-037, SA-CONTRIB-2020-038
Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036
Project: Media: oEmbed
Date: 2020-November-18
Security risk: Critical 17∕25
Vulnerability: Remote Code ExecutionDescription
Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012.
Solution
Install the latest version:
Upgrade to Media oEmbed 7.x-2.8
Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037
Project: Ink Filepicker
Date: 2020-November-18
Security risk: Critical 17∕25
Vulnerability: UnsupportedDescription
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.
It looks like the 3rd party service that this module integrates with may have been retired.
If you would like to maintain this project nevertheless, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported
Solution
If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.
Drupal core - Critical - Remote code execution - SA-CORE-2020-012
Project: Drupal core
Date: 2020-November-18
Security risk: Critical 17∕25
Vulnerability: Remote code execution
CVE IDs: CVE-2020-13671Description
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
Solution
Install the latest version:
If you are using Drupal 9.0, update to Drupal 9.0.8
If you are using Drupal 8.9, update to Drupal 8.9.9
If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11
If you are using Drupal 7, update to Drupal 7.74
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Additionally, it's recommended that you audit all previously uploaded files to check for malicious extensions. Look specifically for files that include more than one extension, like .php.txt or .html.gif. Pay specific attention to the following file extensions, which should be considered dangerous even when followed by another extension:
- phar
- php
- pl
- py
- cgi
- asp
- js
- html
- htm
(Note that the list is not exhaustive.)
SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038
Project: SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider
Date: 2020-November-18
Security risk: Critical 16∕25
Vulnerability: Access bypassDescription
This module enables your users residing at a SAML 2.0 compliant Identity Provider to login to your Drupal website.
The module has two Authentication Bypass vulnerabilities.
Solution
Install the latest version:
If you use the miniorange_saml module for Drupal 8.x, upgrade to miniorange_saml 8.x-2.14
If you use the miniorange_saml module for Drupal 7.x, upgrade to miniorange_saml 7.x-2.54
Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035
Project: Examples for Developers
Date: 2020-November-18
Security risk: Critical 17∕25
Vulnerability: Remote Code ExecutionDescription
The File Example submodule within the Examples project does not properly sanitize certain filenames as described in SA-CORE-2020-012, along with other related vulnerabilities.
Therefore, File Example so is being removed from Examples until a version demonstrating file security best practices can added back in the future.
Solution
Any sites that have File Example submodule installed should uninstall it immediately
Then, install the latest version of Examples:
If you use Examples 3 (Drupal 9-compatible), upgrade to Examples 3.0.2
If you use the Examples module's 8.x-1.x branch, upgrade to Examples 8.x-1.1
We value your opinion. Please add your feedback.