Critical Vulnerability Discovered in Drupal
A critical vulnerability has been identified in Drupal’s Basic HTTP Authentication module. This vulnerability allows attackers to bypass the access restrictions set by the module, potentially exposing sensitive content or resources to risk.
This vulnerability, designated as SA-CONTRIB-2024-057, pertains to the Basic HTTP Authentication module in Drupal. It arises because the module incorrectly sets access permissions for certain paths, leading to a bypass condition. As a result, access restrictions are removed, and users can gain unauthorized access to sensitive resources, which may compromise system security.
The critical vulnerability in Drupal’s Basic HTTP Authentication module enables an access bypass, allowing unauthorized access to sensitive resources. With a high security risk level (16/25), this issue affects all versions prior to 7.x-1.4. To address this vulnerability, it is recommended to upgrade to the fixed version, Basic Authentication 7.x-1.4.
UZCERT advises all users to apply these security measures as soon as possible.