View online: https://www.drupal.org/psa-2018-001
* Advisory ID: DRUPAL-PSA-2018-001
* Project: Drupal Core
* Version: 7.x, 8.x
* Date: 2018-March-21
-------- DESCRIPTION
---------------------------------------------------------
There will be a security release of *Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on
March 28th 2018 between 18:00 - 19:30 UTC*, one week from the publication of
this document, that will fix a highly critical security vulnerability. The
Drupal Security Team urges you to reserve time for core updates at that time
because exploits /might/ be developed within hours or days. Security release
announcements will appear on the Drupal.org security advisory page [1].
While Drupal 8.3.x and 8.4.x are no longer supported and we don't normally
provide security releases for unsupported minor releases [2], given the
potential severity of this issue, we /are/ providing 8.3.x and 8.4.x releases
that includes the fix for sites which have not yet had a chance to update to
8.5.0. The Drupal security team strongly recommends the following:
* Sites on 8.3.x should immediately update to the 8.3.x release that will
be
provided in the advisory, and then plan to update to the latest 8.5.x
security release in the next month.
* Sites on 8.4.x should immediately update to the 8.4.x release that will
be
provided in the advisory, and then plan to update to the latest 8.5.x
security release in the next month.
* Sites on 7.x or 8.5.x can immediately update when the advisory is
released
using the normal procedure.
The security advisory will list the appropriate version numbers for all three
Drupal 8 branches. Your site's update report page will recommend the 8.5.x
release even if you are on 8.3.x or 8.4.x, but temporarily updating to the
provided backport for your site's current version will ensure you can update
quickly without the possible side effects of a minor version update.
The Security Team or any other party is not able to release any more
information about this vulnerability until the announcement is made. The
announcement will be made public at www.drupal.org/security [3], over
Twitter, and in email for those who have subscribed to our email list. To
subscribe to the email list: log in on drupal.org, go to your user profile
page and subscribe to the security newsletter on the Edit » My newsletters
tab.
Journalists interested in covering the story are encouraged to email
security-press(a)drupal.org to be sure they will get a copy of the
journalist-focused release. The Security Team will release a
journalist-focused summary email at the same time as the new code release and
advisory.
If you find a security issue, please report it at
https://www.drupal.org/security-team/report-issue [4].
[1] https://www.drupal.org/security
[2] https://www.drupal.org/core/release-cycle-overview
[3] www.drupal.org/security
[4] https://www.drupal.org/security-team/report-issue
View online: https://www.drupal.org/sa-contrib-2018-016
Project: JSON API [1]
Version: 8.x-1.x-dev
Date: 2018-March-21
Security risk: *Moderately critical* 11∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access Bypass
Description:
This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.
The module doesn't sufficiently check access when viewing related resources
or relationships, thereby causing an access bypass vulnerability.
This vulnerability is mitigated by the fact that an attacker must be allowed
to view the related data, otherwise all they can glean is an entity type UUID
and a UUID, which are meaningless by themselves.
Solution:
Install the latest version:
* If you use the JSON API module for Drupal 8.x, upgrade to JSON API
8.x-1.14 [3]
Reported By:
* Gabe Sullice [4]
Fixed By:
* Wim Leers [5]
* Mateu Aguiló Bosch [6]
Coordinated By:
* Michael Hess [7] Of the Drupal Security Team
[1] https://www.drupal.org/project/jsonapi
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/jsonapi/releases/8.x-1.14
[4] https://www.drupal.org/user/2287430
[5] https://www.drupal.org/user/99777
[6] https://www.drupal.org/user/550110
[7] https://www.drupal.org/u/mlhess