"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Wed, 2023-09-27 09:16 — Anonymous (not verified)

Project: Entity cacheDate: 2023-September-27Security risk: Critical 16∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Information disclosureDescription: Entity Cache puts core entities into Drupal's cache API.
A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input.
The impact of this bug should be relatively minor in most configurations, but in worst-case scenarios it could lead to significant Access Bypass.Solution: Install the latest version:

If you use the Entity cache module for Drupal 7.x, upgrade to Entity cache 7.x-1.7.

Reported By:

Gary Sargent

Fixed By:

Damien McKenna of the Drupal Security Team
Gary Sargent
Drew Webber of the Drupal Security Team
Jess of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Juraj Nemec of the Drupal Security Team
Linus Cash
Neil Hodgkinson

Coordinated By:

Damien McKenna of the Drupal Security Team
Drew Webber of the Drupal Security Team
Jess of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-046

Search form

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046