Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-February-27
Vulnerability:
Access bypass
Description:
The Rabbit Hole module allows administrators to control what should happen when a regular user tries to view an entity at its own page; for example, it may deliver a 403 Access Denied or 404 Page Not Found response, or redirect the user to another path.
The module doesn't respect the Rabbit Hole settings when an entity is being requested with a certain header. This could lead to certain data being exposed even if it shouldn't be. The vulnerability is mitigated by the fact that the user also needs permission to view the content being requested.
Solution:
Install version 7.x-2.25, available at https://www.drupal.org/project/rabbit_hole/releases/7.x-2.25.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
