DRUPAL-CONTRIB-2021-003

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/subgroup/DRUPAL-CONTRIB-2021-003.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-003

Published

2021-01-27T17:53:09Z

Modified

2025-12-10T23:31:51.670519Z

Summary

[none]

Details

This module enables you to add groups to other groups in a tree structure where access can be inherited up or down the tree.

When you configure Subgroup to have a tree with at least three levels, users may inadvertently get permissions in a group that is an uncle or cousin of the source group, rather than a direct ancestor or descendant. Trees with only multiple nodes at the lowest tier (or nowhere) are unaffected.

References

https://www.drupal.org/sa-contrib-2021-003

Credits

- Mori Sugimoto
- - https://www.drupal.org/user/82971
- kyk
- - https://www.drupal.org/user/29822

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/subgroup

Package

Name: drupal/subgroup
Purl: pkg:composer/drupal/subgroup

Affected ranges

Type

ECOSYSTEM

Events

Introduced

1.0.0

Last affected

1.0.0

Database specific

{
    "constraint": "1.0.0"
}

Database specific

affected_versions

"1.0.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/subgroup/DRUPAL-CONTRIB-2021-003.json"