Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010 - Security-news

15 Sep 2021


      View online: https://www.drupal.org/sa-core-2021-010
Project: Drupal core [1]
Date: 2021-September-15
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access Bypass
CVE IDs: CVE-2020-13677
Description: 
Under some circumstances, the Drupal core JSON:API module does not properly
restrict access to certain content, which may result in unintended access
bypass.
Sites that do not have the JSON:API module enabled are not affected.
This advisory is not covered by Drupal Steward [3].
Solution: 
Install the latest version:
* If you are using Drupal 9.2, update to Drupal 9.2.6 [4].
   * If you are using Drupal 9.1, update to Drupal 9.1.13 [5].
   * If you are using Drupal 8.9, update to Drupal 8.9.19 [6].
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x
are end-of-life and do not receive security coverage.
Drupal 7 core does not include the JSON:API module and therefore is not
affected.
Reported By: 
   * Brad Jones [7]
Fixed By: 
   * Brad Jones [8]
   * Jess  [9] of the Drupal Security Team
   * Björn Brala [10]
   * Gabe Sullice [11]
   * Mateu Aguiló Bosch [12]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/9.2.6
[5] https://www.drupal.org/project/drupal/releases/9.1.13
[6] https://www.drupal.org/project/drupal/releases/8.9.19
[7] https://www.drupal.org/user/405824
[8] https://www.drupal.org/user/405824
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/3366066
[11] https://www.drupal.org/user/2287430
[12] https://www.drupal.org/user/550110