CIVI-SA-2020-02: API Key Disclosure

Published
2020-04-15 12:00
Written by

Using a carefully crafted request, a backend user could determine the API credentials of another user.

Security Risk
Critical
Vulnerability
Access Bypass
Information Disclosure
Affected Versions

CiviCRM version 5.24.2 and earlier

Fixed Versions

CiviCRM version 5.24.3 and 5.21.3

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Patrick Figel (Greenpeace CEE) for reporting the issue
Patrick Figel (Greenpeace CEE) and Eileen McNaughton (Wikimedia Foundation) for resolving the issue

References

security/core#73