Drupal issued two security advisories warning of a vulnerabilities affecting several versions of Drupal that could allow an attacker to access sensitive information.
There are two vulnerabilities currently affecting Drupal. One is rated as a high severity critical vulnerability.
Vulnerability in Third Party Library
Drupal uses a third party templating engine called Twig.
According to Drupal documentation:
“When your web page renders, the Twig engine takes the template and converts it into a ‘compiled’ PHP template which is stored in a protected directory…”
The Twig library is used by Drupal for templating but also for a process called sanitization, which is a way to prevent malicious files from being uploaded.
Twig describes the vulnerabilities as one that allows an attacker to use the filesystem loader to access sensitive files.
“Multiple vulnerabilities are possible if an untrusted user has access to write Twig code, including potential unauthorized read access to private files, the contents of
other files on the server, or database credentials.”
This vulnerability affects users of Drupal 9.3 and 9.4.
Recommended Course of Action for Mitigating Vulnerability
Users of Drupal 9.3 are recommended to update to version 9.3.22.
Users of Drupal 9.4 are advised to update to version 9.4.7.
Drupal also warned of an Access Bypass vulnerability that is rated as moderate affecting publishers that use the S3 File System module for Drupal 7.x.
An access bypass vulnerability is one in which an attacker is able to bypass authentication barriers and access to an application and sensitive files that they should not
otherwise have access to.
The vulnerability is described as:
“The module doesn’t sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.”
The advisory notes that this vulnerability is mitigated by several steps that need to be taken before an attacker can gain access.
The advisory explains:
“This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary file paths, the site must have public or private takeover enabled, and the file metadata cache must be ignored.”
Recommended Course of Action
Drupal users who use the S3 File System module for Drupal 7.x are advised to upgrade to S3 File System 7.x-2.14 in order to patch the vulnerability.
Drupal core – Critical – Multiple vulnerabilities – SA-CORE-2022-016
S3 File System – Moderately critical – Access bypass – SA-CONTRIB-2022-057
Twig security release: Possibility to load a template outside a configured directory when using the filesystem loader
Featured image by Shutterstock/Andrey_Popov