Miggo Logo
Miggo Vulnerability Database
CVE-2019-6342

CVE-2019-6342: Drupal Improper Access Control

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-6342
GHSA ID
GHSA-xq62-62c9-22mg
EPSS Score
0.42547%
CWE
CWE-284
Published
1/11/2024
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer> 8.7.3, < 8.7.58.7.5
drupal/drupalcomposer> 8.7.3, < 8.7.58.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper logical operator usage in access control checks. The commit diff shows the critical change from orIf() to andIf() in bypassAccessResult(), which directly addresses the access bypass flaw. The accompanying test modification in WorkspaceBypassTest.php confirms the behavioral change from allowing (200) to denying (403) access when users have the bypass permission but don't own the workspace. No other functions in the patch demonstrate security-relevant changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n ****ss *yp*ss vuln*r**ility *xists w**n t** *xp*rim*nt*l Worksp***s mo*ul* in *rup*l * *or* is *n**l**. T*is **n ** miti**t** *y *is**lin* t** Worksp***s mo*ul*. It *o*s not *****t *ny r*l**s* ot**r t**n *rup*l *.*.*.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r lo*i**l op*r*tor us*** in ****ss *ontrol ****ks. T** *ommit *i** s*ows t** *riti**l ***n** *rom `orI*()` to `*n*I*()` in `*yp*ss****ssR*sult()`, w*i** *ir**tly ***r*ss*s t** ****ss *yp*ss *l*w. T** ***omp*nyin*