View online: https://www.drupal.org/sa-core-2020-006
Project: Drupal core [1] Date: 2020-June-17 Security risk: *Less critical* 8∕25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
CVE IDs: CVE-2020-13665 Description: JSON:API PATCH requests may bypass validation for certain fields.
By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.
Solution: Install the latest version:
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3]. * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4]. * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5].
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.
Reported By: * Sergii Bondarenko [6]
Fixed By: * Sergii Bondarenko [7] * Wim Leers [8] * Jess [9] of the Drupal Security Team * Lee Rowlands [10] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/8.8.8 [4] https://www.drupal.org/project/drupal/releases/8.9.1 [5] https://www.drupal.org/project/drupal/releases/9.0.1 [6] https://www.drupal.org/user/2802285 [7] https://www.drupal.org/user/2802285 [8] https://www.drupal.org/user/99777 [9] https://www.drupal.org/user/65776 [10] https://www.drupal.org/user/395439