Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-September-22
Vulnerability:
Cache poisoning
Affected versions:
<2.0.1
Description:
This module enables you to create an individual hash for each user. These hashes can be used for authentication instead of the user's password, e.g. for views exporters.
The module doesn't sufficiently invalidate page output when the page_cache module is used.
This vulnerability is mitigated by the fact that an attacker must have a user hash that grants access to specific content and the attack must be timed to the reset of the page cache.
Solution:
Install the latest version:
- If you use the user_hash module for Drupal 8 or 9, upgrade to User Hash 2.0.1
Reported By:
- Jürgen Haas
- Lee Rowlands of the Drupal Security Team
Fixed By:
- Jürgen Haas
- Lee Rowlands of the Drupal Security Team
Coordinated By:
- Damien McKenna of the Drupal Security Team
