Drupal Core Security update got released on 18^th January 2023, aiming to address the important information disclosure vulnerabilities in the Media Library module for Drupal 9.4, 9.5 and 10.0. Get started by downloading the official Drupal core files.

You May Like

Interview

Drupal's Future Excites and Warrants Consideration: Boyan Borisov

Interview

Drupal's Future Excites and Warrants Consideration: Boyan Borisov

These official releases come bundled with various modules and themes to give you a good starting point to help build your site. Drupal core includes basic community features like blogging, forums, and contact forms and can be easily extended by downloading other contributed modules and themes.

The Media Library module does not properly check entity access in some circumstances, which could allow users with access to edit content to view metadata about media items they may not otherwise be authorized to access. Although the inaccessible media will only be visible to those with edit access to the content that includes a media reference field, this vulnerability can still be exploited to gain an increased understanding of the media items on the system. To mitigate this vulnerability, it is important to ensure that all users are given appropriate access to the media library, and that access is restricted as needed.

Solution: 

Install the latest version:

• If you are using Drupal 10.0, update to Drupal 10.0.2.
• If you are using Drupal 9.5, update to Drupal 9.5.2.
• If you are using Drupal 9.4, update to Drupal 9.4.10.

All versions of Drupal 9 before 9.4.x are end-of-life and do not receive security coverage. This means that any security issues identified for these versions will not be addressed. Additionally, any installation of these versions is at risk of web security breaches or malicious attacks. Note that Drupal 8 has reached its end of life and is no longer receiving security coverage.

The Drupal Security Team is committed to ensuring that all users have access to the latest security updates and will continue to monitor and respond to any security threats actively.