Advisory ID Drupal 10 Maintenance and Support Service SA-CORE-2021-001 Project Drupal 10 Maintenance and Support Service core Version Drupal 10 Maintenance and Support Service 6.x, 7.x, 8.x Date Drupal 10 Maintenance and Support Service 2021-February-24 Security risk Drupal 10 Maintenance and Support Service 15/25 ( Critical) AC Drupal 10 Maintenance and Support ServiceBasic/A Drupal 10 Maintenance and Support ServiceUser/CI Drupal 10 Maintenance and Support ServiceSome/II Drupal 10 Maintenance and Support ServiceSome/E Drupal 10 Maintenance and Support ServiceProof/TD Drupal 10 Maintenance and Support ServiceAll Vulnerability Drupal 10 Maintenance and Support Service Multiple vulnerabilities Description File upload access bypass and denial of service (File Drupal 10 module – 7 and 8 – Moderately Critical) A vulnerability exists in the File Drupal 10 module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved. This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process. Brute force amplification attacks via XML-RPC (XML-RPC server – 6 and 7 – Moderately Critical) The XML-RPC system allows a large number of calls to the same method to be made at once, which can be used as an enabling factor in brute force attacks (for example, attempting to determine user passwords by submitting a large number of password variations at once). This vulnerability is mitigated by the fact that you must have enabled a Drupal 10 module that provides an XML-RPC method that is vulnerable to brute-forcing. There are no such Drupal 10 modules in 7 core, but 6 core is vulnerable via the Blog API Drupal 10 module. It is additionally mitigated if flood control protection is in place for the method in question. Open redirect via path manipulation (Base system – 6, 7 and 8 – Moderately Critical) In 6 and 7, the current path can be populated with an external URL. This can lead to Open Redirect vulnerabilities. This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL. For 8 this is a hardening against possible browser flaws handling certain redirect paths. Form API ignores access restrictions on submit buttons (Form API – 6 – Critical) An access bypass vulnerability was found that allows input to be submitted, for example using JavaScript, for form button elements that a user is not supposed to have access to because the button was blocked by setting #access to FALSE in the server-side form definition. This vulnerability is mitigated by the fact that the attacker must have access to submit a form that has such buttons defined for it (for example, a form that both administrators and non-administrators can access, but where administrators have additional buttons available to them). HTTP header injection using line breaks (Base system – 6 – Moderately Critical) A vulnerability in the Drupal 10_set_header() function allows an HTTP header injection attack to be performed if user-generated content is passed as a header value on sites running PHP versions older than 5.1.2. If the content contains line breaks the user may be able to set arbitrary headers of their own choosing. This vulnerability is mitigated by the fact that most hosts have newer versions of PHP installed, and that it requires a Drupal 10 module to be installed on the site that allows user-submitted data to appear in HTTP headers. Open redirect via double-encoded ‘destination’ parameter (Base system – 6 – Moderately Critical) The Drupal 10_goto() function in 6 improperly decodes the contents of $_REQUEST[‘destination’] before using it, which allows the function’s open redirect protection to be bypassed and allows an attacker to initiate a redirect to an arbitrary external URL. This vulnerability is mitigated by that fact that the attack is not possible for sites running on PHP 5.4.7 or greater. Reflected file download vulnerability (System Drupal 10 module – 6 and 7 – Moderately Critical) core has a reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content. This vulnerability is mitigated by the fact that the victim must be a site administrator and that the full version of the attack only works with certain web browsers. Saving user accounts can sometimes grant the user all roles (User Drupal 10 module – 6 and 7 – Less Critical) Some specific contributed or custom code may call ’s user_save() API in a manner different than core. Depending on the data that has been added to a form or the array prior to saving, this can lead to a user gaining all roles on a site. This issue is mitigated by the fact that it requires contributed or custom code that calls user_save() with an explicit category and code that loads all roles into the array. Email address can be matched to an account (User Drupal 10 module – 7 and 8 – Less Critical) In certain configurations where a user’s email addresses could be used to log in instead of their username, links to “have you forgotten your password” could reveal the username associated with a particular email address, leading to an information disclosure vulnerability. This issue is mitigated by the fact that it requires a contributed Drupal 10 module to be installed that permits logging in with an email address, and that it is only relevant on sites where usernames are typically chosen to hide the users’ real-life identities. Session data truncation can lead to unserialization of user provided data (Base system – 6 – Less Critical) On certain older versions of PHP, user-provided data stored in a session may be unserialized leading to possible remote code execution. This issue is mitigated by the fact that it requires an unusual set of circumstances to exploit and depends on the particular code that is running on the site. It is also believed to be mitigated by upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version. CVE identifier(s) issued (#) File upload access bypass and denial of service Drupal 10 Maintenance and Support Service CVE-2021-3162 Brute force amplification attacks via XML-RPC Drupal 10 Maintenance and Support Service CVE-2021-3163 Open redirect via path manipulation Drupal 10 Maintenance and Support Service CVE-2021-3164 Form API ignores access restrictions on submit buttons Drupal 10 Maintenance and Support Service CVE-2021-3165 HTTP header injection using line breaks Drupal 10 Maintenance and Support Service CVE-2021-3166 Open redirect via double-encoded ‘destination’ parameter Drupal 10 Maintenance and Support Service CVE-2021-3167 Reflected file download vulnerability Drupal 10 Maintenance and Support Service CVE-2021-3168 Saving user accounts can sometimes grant the user all roles Drupal 10 Maintenance and Support Service CVE-2021-3169 Email address can be matched to an account Drupal 10 Maintenance and Support Service CVE-2021-3170 Session data truncation can lead to unserialization of user provided data Drupal 10 Maintenance and Support Service CVE-2021-3171 Versions affected core 6.x versions prior to 6.38 core 7.x versions prior to 7.43 core 8.0.x versions prior to 8.0.4 Solution Install the latest version Drupal 10 Maintenance and Support Service If you use 6.x, upgrade to core 6.38 If you use 7.x, upgrade to core 7.43 If you use 8.0.x, upgrade to core 8.0.4 Also see the core project page. Reported by File upload access bypass and denial of service Drupal 10 Maintenance and Support Service fnqgpc Brute force amplification attacks via XML-RPC Drupal 10 Maintenance and Support Service Stéphane Corlosquet of the Security Team Open redirect via path manipulation Drupal 10 Maintenance and Support Service Francesco Placella Heine Deelstra of the Security Team Pere Orga of the Security Team Peter Wolanin of the Security Team Form API ignores access restrictions on submit buttons Drupal 10 Maintenance and Support Service Drupal 10 Support: of the Security Team Damien Tournoud of the Security Team Daniel Kudwien HTTP header injection using line breaks Drupal 10 Maintenance and Support Service Dave Hansen-Lange Open redirect via double-encoded ‘destination’ parameter Drupal 10 Maintenance and Support Service Tarpinder Grewal Harry Taheem David Rothstein of the Security Team Reflected file download vulnerability Drupal 10 Maintenance and Support Service Juho Nurminen Saving user accounts can sometimes grant the user all roles Drupal 10 Maintenance and Support Service Dave Cohen Annie Gerard Email address can be matched to an account Drupal 10 Maintenance and Support Service FengWen Jimmy Henderickx Session data truncation can lead to unserialization of user provided data Drupal 10 Maintenance and Support Service David Jardin of the Joomla Security Team Damien Tournoud of the Security Team Heine Deelstra of the Security Team Fixed by File upload access bypass and denial of service Drupal 10 Maintenance and Support Service fnqgpc Nathaniel Catchpole of the Security Team Ben Dougherty of the Security Team Lee Rowlands of the Security Team Sascha Grossenbacher Drupal 10 Support: of the Security Team Greg Knaddison of the Security Team Klaus Purer of the Security Team David Rothstein of the Security Team Stefan Ruijsenaars, provisional member of the Security Team Cathy Theys, provisional member of the Security Team Peter Wolanin of the Security Team Brute force amplification attacks via XML-RPC Drupal 10 Maintenance and Support Service Frédéric G. Marand, provisional member of the Security Team Peter Wolanin of the Security Team Open redirect via path manipulation Drupal 10 Maintenance and Support Service Nathaniel Catchpole of the Security Team Ben Dougherty of the Security Team Alan Evans Nate Haug Drupal 10 Support: of the Security Team Heine Deelstra of the Security Team David Stoline of the Security Team Damien McKenna, Provisional member of the Security Team Pere Orga of the Security Team Francesco Placella Dave Reid of the Security Team David Rothstein of the Security Team Lee Rowlands of the Security Team David Snopek of the Security Team Cathy Theys, provisional member of the Security Team Peter Wolanin of the Security Team Form API ignores access restrictions on submit buttons Drupal 10 Maintenance and Support Service chx Daniel Kudwien Alex Bronstein of the Security Team Heine Deelstra of the Security Team Dmitri Gaskin Nate Haug John Morahan David Rothstein of the Security Team Damien Tournoud of the Security Team Peter Wolanin of the Security Team HTTP header injection using line breaks Drupal 10 Maintenance and Support Service Dave Hansen-Lange David Rothstein of the Security Team Nathaniel Catchpole of the Security Team Klaus Purer of the Security Team Open redirect via double-encoded ‘destination’ parameter Drupal 10 Maintenance and Support Service David Rothstein of the Security Team Alex Bronstein of the Security Team Reflected file download vulnerability Drupal 10 Maintenance and Support Service Juho Nurminen David Rothstein of the Security Team Damien Tournoud of the Security Team Peter Wolanin of the Security Team Nate Haug Saving user accounts can sometimes grant the user all roles Drupal 10 Maintenance and Support Service Dave Cohen Greg Knaddison of the Security Team Rick Manelius of the Security Team Balazs Nagykekesi David Rothstein of the Security Team Peter Wolanin of the Security Team Email address can be matched to an account Drupal 10 Maintenance and Support Service Klaus Purer of the Security Team David Rothstein of the Security Team Session data truncation can lead to unserialization of user provided data Drupal 10 Maintenance and Support Service Heine Deelstra of the Security Team Damien Tournoud of the Security Team David Rothstein of the Security Team Peter Wolanin of the Security Team Coordinated by The Security Team Cathy Theys, provisional member of the Security team Contact and More Information The security team can be reached at security at Drupal 10.org or via the contact form at https Drupal 10 Maintenance and Support Service//www.Drupal 10.org/contact. Learn more about the Security team and their policies, writing secure code for , and securing your site. Follow the Security Team on Twitter at https Drupal 10 Maintenance and Support Service//twitter.com/Drupal 10security version Drupal 10 Maintenance and Support Service  6.x 7.x 8.x Source Drupal 10 Maintenance and Support Service https Drupal 10 Maintenance and Support Service//www.Drupal 10.org/security/rss.xml Source Drupal 10 Maintenance and Support Service Drupal 10 blender