oss-sec mailing list archives

CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002)

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 11 Jul 2011 12:44:12 +0200

Hello Josh, Steve, vendors,

  this:
  [1] http://drupal.org/node/1204582

  From [1]: Access bypass in node listings:
  =========================================

  Listings showing nodes but not JOINing the node table show all
  nodes regardless of restrictions imposed by the node_access system.
  In core, this affects the taxonomy and the forum subsystem.

  ...

  Versions affected:
  ==================

  Drupal 7.0, 7.1 and 7.2.


References:
------------
[2] https://bugzilla.redhat.com/show_bug.cgi?id=717874
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633385

doesn't seem to have a CVE identifier allocated yet. Could you allocate one?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002) Jan Lieskovsky (Jul 11)
- Re: CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002) Josh Bressers (Jul 12)