Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2020-July-22
Vulnerability:
Access bypass
Affected versions:
<1.12.0
Description:
The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams.
The "Apigee Edge Teams" submodule has an information disclosure vulnerability. The "Add team member" form displays an email autocomplete field which can expose the email addresses of other accounts in the system.
This vulnerability is mitigated by the fact that to have access to the form, the site must have the Apigee Edge Teams submodule enabled, and the user must have a team role that has the "Manage team members" permission. (Note that team roles and permissions are not related to Drupal core roles and permissions).
Solution:
Install the latest version:
- If you use the apigee_edge_teams submodule for Drupal 8.x, upgrade to Apigee Edge module 8.x-1.12
Also see the Apigee Edge project page.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
