Gutenberg - Critical - Access bypass - SA-CONTRIB-2021-007

Project: GutenbergVersion: 8.x-2.x-dev8.x-1.x-devDate: 2021-May-12Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: This module provides a new UI experience for node editing using the Gutenberg Editor library.
The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks.Solution: Install the latest version:

  • If you use the Gutenberg module 8.x-1.x, upgrade to 8.x-1.12
  • If you use the Gutenberg module 8.x-2.x, upgrade to 8.x-2.0
  • For roles other than administrator, the "Administer Gutenberg" (8.x-1.x) or the "Use Gutenberg" (8.x-2.x) permission must be given to view and delete reusable blocks.

Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2021-007