Date: 
2022-January-25
Vulnerability: 
Unsupported
Affected versions: 
<2.0.1
Description: 

This module provides a stream wrapper for files located in the vendor directory. Even when the vendor directory is moved outside the webroot, it allows providing publically accessible URLs to these files.

The module exposes all files that are in the vendor directory, without a site owner's knowledge or intention. This could be undesirable behavior, especially since this module is required as a dependency by other modules.

Edited October 24, 2023 after the project has been re-supported by new maintainers and this advisory metadata affects composer.

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Solution: 

Update the Vendor Stream Wrapper to 2.0.1.

After updating the Vendor Stream Wrapper module, navigate to '/admin/config/media/vendor-stream-wrapper' and indicate the patterns of files/directories located in the vendor directory that should be publicly accessible.

If you use this project, you should uninstall it. To take over maintainership, please read https://www.drupal.org/node/251466#procedure---own-project---unsupported in full.

Reported By: 
Coordinated By: