Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

https://www.drupal.org/security/rss.xml / Fri, 08/23/2024 - 10:05

Project:

Drupal core

Date:

2022-June-10

Security risk:

Moderately critical 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon

Vulnerability:

Third-party libraries

Affected versions:

>= 8.0.0 <9.2.21 || >= 9.3.0 <9.3.16

CVE IDs:

CVE-2022-31042

CVE-2022-31043

Description:

Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.

We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk.

This advisory is not covered by Drupal Steward.

Solution:

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.0-rc2.
If you are using Drupal 9.3, update to Drupal 9.3.16.
If you are using Drupal 9.2, update to Drupal 9.2.21.

All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 is not affected.

Advanced users may also work around this issue by temporarily using drupal/core instead of drupal/core-recommended and then updating Guzzle to the desired version. More information on managing Guzzle with Drupal 9.4.

Reported By:

Fixed By:

Heine of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
Damien McKenna of the Drupal Security Team
Michael Hess of the Drupal Security Team
cilefen of the Drupal Security Team
xjm of the Drupal Security Team
Benji Fisher, provisional member of the Drupal Security Team

About

Kenya Education Network CERT(KENET-CERT) is a Cybersecurity Emergency Response Team and Co-ordination Center operated by the National Research and Education Network of Kenya. KENET-CERT coordination center promotes awareness on cybersecurity incidences as well as coordinates and assists member institutions in responding effectively to cyber security threats and incidences. KENET-CERT works closely with Kenya's National CIRT coordination center (CIRT/CC) as a sector CIRT for the academic institutions. KENET promotes use of ICT in Teaching, Learning and Research in Higher Education Institutions in Kenya. KENET aims to interconnect all the Universities, Tertiary and Research Institutions in Kenya by setting up a cost effective and sustainable private network with high speed access to the global Internet. KENET also facilitates electronic communication among students and faculties in member institutions, share learning and teaching resources by collaboration in Research and Development of Educational content.

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Categories

Recent Posts

USN-7118-1: ZBar vulnerabilities

CISA Releases Insights from Red Team Assessment of a U.S. Critical Infrastructure Sector Organization

USN-7091-2: Ruby vulnerabilities

About