Drupal 7.91, 9.3.19, and 9.4.3 released with several critical security fixes

Published On21 Jul 2022

Drupal 7.91, 9.3.19, and 9.4.3 released with security fixes Drupal, a popular content management system written in PHP, released three new versions on all of the current version series fixing several security vulnerabilities. These releases include fixes for information disclosure, code execution, access bypass, and cross-site scripting vulnerabilities found in earlier versions.

  • Drupal 7 sites are advised to upgrade to Drupal 7.91
  • Drupal 9.3.x sites are advised to upgrade to Drupal 9.3.19
  • Drupal 9.4.x sites are advised to upgrade to Drupal 9.4.3

Drupal 8.x series, Drupal 9.0, 9.1, and 9.2 series have reached their End-Of-Life, and do not receive security support anymore.

Backdrop CMS, a fork of Drupal 7 that evolved into a CMS of its own, also released Backdop CMS 1.22.1 fixing applicable vulnerabilities.

Drupal core updates can be made manually by replacing the installation files, using Drush, or by using Composer.

SA-CORE-2022-012

SA-CORE-2022-012 (CVE-2022-25275) is a moderately critical information disclosure vulnerability fixed in Drupal 7.91, Drupal 9.3.19, and Drupal 9.4.3 that files using URI schemes other than public://, private:// and temporary:// might be revealed if a built-in and default access protection configuration called "insecure derivatives" was enabled.

Private files stored with the private:// URI scheme, which is the default and common setting, are not exposed with this vulnerability, which greatly reduces the attack vectors of this vulnerability.

Further, this vulnerability is mitigated if the Drupal sites have not turned off the default security setting with $conf['image_allow_insecure_derivatives'] = true (Drupal 7) or $config['image.settings']['allow_insecure_derivatives'] = true (Drupal 9). Drupal does not provide any user interface to allow insecure derivatives.

SA-CORE-2022-013

SA-CORE-2022-013 (CVE-2022-25278) is a moderately critical access bypass vulnerability in the Form API, only present in Drupal 9. This is fixed in Drupal 9.3.19 and Drupal 9.4.3.

Prior versions of Drupal contain a vulnerability in its Form API implementation, that it did not properly evaluate access to the form elements (with #access property or another way), and allowed overwriting the submitted values even though the element access is disallowed.

Drupal core does not use forms that are affected, but there might be contributed/custom modules or themes relied on the Form API to safe-guard form values.

SA-CORE-2022-014

SA-CORE-2022-014 (CVE-2022-25277) is a critical security vulnerability fixed in Drupal 9.3.19 and Drupal 9.4.3 (Drupal 7 not affected), that could lead to code execution.

Drupal's file name sanitization mechanisms did not properly sanitize .htaccess files, which could allow an attacker to upload an .htaccess to bypass Drupal's built-in protections against code execution in file upload directories, leading to a code execution vulnerability.

However, it requires a user with administrative permissions to allow htaccess file extension, which is usually only granted to trusted users, and the attacker must manage to upload an executable file even after a new htaccess file was uploaded to disable existing safe-guards against file execution. Further, this vulnerability is only exploitable on Drupal sites that are hosted on Apache web server (and some versions of Litespeed web server), because other web server software do not evaluate to .htaccess files.

SA-CORE-2022-015

SA-CORE-2022-015 (CVE-2022-25276) is a moderately critical security vulnerability in Drupal 9's Media oEmbed feature, that could be used to display external (and potential offensive) content in the context of the primary domain. Because browsers do not restrict access to data on same the origin, this can be exploited to extract information including browser cookies, cross-site scripting, etc.

This vulnerability is fixed in Drupal 9.3.19 and Drupal 9.4.3, Drupal 7 does not offer a Media module, and is not vulnerable.

All Drupal 7, 9.3, and 9.4 sites running older versions are encouraged to upgrade to the latest version immediately.

In other news on PHP.Watch

All NewsFeed
PHP 8.4 Feature-freeze, first Release Candidate released

PHP 8.4 Feature-freeze, first Release Candidate released

The first release candidate of the upcoming PHP 8.4 is now out. PHP8.4-RC1 previews all new features, changes, and deprecations available on PHP 8.4, and can be used to test the compatibility of applications with PHP 8.4.
PHP Release Cycle Update

PHP Release Cycle Update

The PHP release cycle changes to extend the active support for all current and future PHP versions from one year to two years, and to align the support timelines to the end of the calendar year.
PHP 8.3 Released!

PHP 8.3 Released!

PHP 8.3 was released today, containing over 1,000 commits from over 100 contributors.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.

Support PHP.Watch — If you find the articles, version information, Codex, and other PHP.Watch contributions useful, consider supporting through GitHub Sponsors. Your sponsorship helps dedicate more time to creating valuable content and improving the PHP community. Together, we can keep the momentum going — thank you for your support!

Thanks to the highest tier sponsor: @TomasVotruba for your generous support to keep PHP.Watch moving 💜