The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace.
The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content.
This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module.
Install the latest version:
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.
- If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6.
- If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6.
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
Once a site running Workspaces is upgraded, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.
If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.
- Andrei Mateescu
- Jess of the Drupal Security Team
- Nathaniel Catchpole of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Dick Olsson