GHSA-mh4h-27gq-cxwj: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-mh4h-27gq-cxwj) was identified in Drupal core's Media Library module, specifically affecting versions 8.0.0 through 8.7.11 and 8.8.0 through 8.8.1. Disclosed on December 18, 2019, this moderately critical access bypass vulnerability stems from insufficient access restrictions to media items in certain configurations (Drupal Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3, indicating moderate severity. The CVSS metrics show that the vulnerability is exploitable over the network with low attack complexity and requires low privileges but no user interaction. The scope is unchanged, with low impact on confidentiality and no impact on integrity or availability (GitHub Advisory).

The vulnerability allows unauthorized access to media items under specific configurations, potentially exposing sensitive media content to users who should not have access. The impact is primarily focused on confidentiality with a low severity rating (Drupal Advisory).

Two mitigation options are available: Users of Drupal 8.7.x should upgrade to version 8.7.11, while users of Drupal 8.8.x should upgrade to version 8.8.1. For versions where immediate upgrade is not possible, users can alternatively mitigate the vulnerability by unchecking the 'Enable advanced UI' checkbox at /admin/config/media/media-library, though this workaround is not available in 8.7.x. Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage (Drupal Advisory).