User information (UID, name, and roles) of the currently logged-in user is added to each response. This should be happening after dynamic page cache processes it, but since 10.4 dynamic page cache does its work earlier. As a result, user information is cached and may become accessible to other users. This means that information may be disclosed to other users (user id, user name, roles).
After clarification with the security team, the issue has been triaged as not security-relevant since only user ID, name and roles can be disclosed.
You can see the issue by:
1. Enabling the module
2. Create 2 users, alice & bob, with the same roles
3. Create a node (as any user)
4. Load the api output as user alice (e.g. /ce-api/node/1): The output should contain the current_user alice, including uid, name and roles
5. Load the api output as user bob. The output contains still contains alice's data.
Affected versions: 1.1.0 & 1.2.0
Adjust ordering + improve cache metadata such that it cannot happen again, even if the ordering is messed up.
Active
1.2
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.