- Advisory ID: DRUPAL-SA-CONTRIB-2014-066
- Project: Node Access Keys (third-party module)
- Version: 7.x
- Date: 2014-July-02
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis.
It was found that unpublished nodes of content types that that did not have an access key were visible to all. Also, If an unpublished node of a content type that was protected by an access key was visited with the access key then access was granted.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Node Access Keys 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Node Access Keys module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Node Access Keys module for Drupal 7.x, upgrade to Node Access Keys 7.x-1.2
Also see the Node Access Keys project page.
Reported by
- This issue was disclosed publicly.
Fixed by
- Daniel Korte the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- David Rothstein of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
