Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-September-22
Vulnerability:
Arbitrary PHP code execution
Description:
This module enables you to extract the textual content of files for use on a website, e.g. to display it or use it in search indexes.
The module doesn't sufficiently protect the administrator-defined commands that are executed on the server, which leads to post-authentication remote code execution by a limited set of users.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search_api". Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.
Solution:
Install the latest version:
- If you use the search_api_attachments module for Drupal 7.x, upgrade to search_api_attachments 7.x-1.19
The 8.x branch does not have Security Coverage.
Reported By:
Fixed By:
- Damien McKenna of the Drupal Security Team
- Ismaeil Abouljamal
Coordinated By:
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
