The Drupal Security team announced on March 23^rd, 2022 the moderately critical Privilege escalation vulnerability in the Role Delegation project according to the Security advisory SA-CONTRIB-2022-031. The vulnerability is classified moderately critical based on the 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default status.  

The Role Delegation module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission, For each role, Role Delegation provides a new assign ROLE role permission to allow the assignment of that role. The module also allows an assign all roles permission without having to check all the assign ROLE role permissions on the permissions page.

You May Like

Interview

Crafting the Future of Web Development: A Conversation with Adrian Ababei

Interview

Crafting the Future of Web Development: A Conversation with Adrian Ababei

50, 527 sites report using the Role Delegation module.

The privilege escalation vulnerability is because the module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.

This vulnerability is mitigated by the fact that an attacker must have access to an overview of users with the views bulk operations module enabled. E.g. The admin_views module provides such a view.

The vulnerability was reported and fixed by Michael Forbes, Jeroen Tubex, and Stein Setvik, coordinated by Greg Knaddison of the Drupal Security Team.

Solution: 
The recommendation if you use the Role Delegation module for Drupal 7.x is to upgrade to Role Delegation 7.x.-1.3.

Source: https://www.drupal.org/sa-contrib-2022-031