Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

Project: Apigee Edge
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: Moderately critical 10∕25 
Vulnerability: Access bypass

Description

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.

The "Apigee Edge Teams" submodule has an information disclosure vulnerability. The "Add team member" form displays an email autocomplete field which can expose the email addresses of other accounts in the system.

This vulnerability is mitigated by the fact that to have access to the form, the site must have the Apigee Edge Teams submodule enabled, and the user must have a team role that has the "Manage team members" permission. (Note that team roles and permissions are not related to Drupal core roles and permissions).

Solution

Install the latest version:

If you use the apigee_edge_teams submodule for Drupal 8.x, upgrade to Apigee Edge module 8.x-1.12

Also see the Apigee Edge project page.