GHSA-mh4h-27gq-cxwj: Drupal core Access bypass

May 15, 2024

The Media Library module has a security vulnerability whereby it doesn’t sufficiently restrict access to media items in certain configurations.

Solution: If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11. If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1. Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Alternatively, you may mitigate this vulnerability by unchecking the “Enable advanced UI” checkbox on /admin/config/media/media-library. (This mitigation is not available in 8.7.x.)

References

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2019-12-18-3.yaml
github.com/advisories/GHSA-mh4h-27gq-cxwj
github.com/drupal/core
www.drupal.org/sa-core-2019-011

Code Behaviors & Features

Detect and mitigate GHSA-mh4h-27gq-cxwj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →