CIVI-SA-2015-008: ACL bypass in 4.6.7

Published
2015-08-26 14:46
Written by

CiviCRM 4.6.7 introduced an access bypass issue which applied a limited number of sites.

The issue affected only certain configurations, where the site used ACLs to limit access, and applied to users whose permissions included “access CiviCRM” and “view my contact” but not “view all contacts”. Changes introduced in CRM-16512 allowed the “view my contact” permission for those users to incorrectly grant access to all contacts.

This issue is mitigated by the fact that only sites so configured are affected, but for sites affected the potential severity led us to make an out of schedule security release.

 

Security Risk
Critical
Vulnerability
Information Disclosure
Affected Versions

CiviCRM 4.6.7 (only)

Fixed Versions

CiviCRM 4.6.8+

Solutions

The solution is to upgrade to CiviCRM 4.6.8. The same change was not applied to the 4.4 branch, so sites using 4.4 were not affected and need not upgrade.

Credits

The issue was identified and resolved by Eileen McNaughton.