DRUPAL-CONTRIB-2023-054

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/group/DRUPAL-CONTRIB-2023-054.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-054
Published
2023-12-06T16:16:28Z
Modified
2025-12-10T23:30:18.205522Z
Summary
[none]
Details

The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to.

The module doesn't sufficiently enforce list access under the scenario where two users have the same outsider and insider permissions, but are members of different groups without any individual roles being assigned to said memberships. In such a scenario, the permissions hash for both will be the same even though it should differ.

This vulnerability is mitigated by the fact that an attacker must have the same hash as someone else, which is quite rare yet not unthinkable.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/group

Package

Name
drupal/group
Purl
pkg:composer/drupal/group

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.2.2
Database specific
{
    "constraint": ">=2.0.0 <2.2.2"
}
Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.2.2
Database specific
{
    "constraint": ">=3.0.0 <3.2.2"
}

Database specific

affected_versions
">=2.0.0 <2.2.2 || >=3.0.0 <3.2.2"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/group/DRUPAL-CONTRIB-2023-054.json"