View online: https://www.drupal.org/sa-core-2021-010
Project: Drupal core [1] Date: 2021-September-15 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access Bypass
CVE IDs: CVE-2020-13677 Description: Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.
Sites that do not have the JSON:API module enabled are not affected.
This advisory is not covered by Drupal Steward [3].
Solution: Install the latest version:
* If you are using Drupal 9.2, update to Drupal 9.2.6 [4]. * If you are using Drupal 9.1, update to Drupal 9.1.13 [5]. * If you are using Drupal 8.9, update to Drupal 8.9.19 [6].
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.
Drupal 7 core does not include the JSON:API module and therefore is not affected.
Reported By: * Brad Jones [7]
Fixed By: * Brad Jones [8] * Jess [9] of the Drupal Security Team * Björn Brala [10] * Gabe Sullice [11] * Mateu Aguiló Bosch [12]
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/steward [4] https://www.drupal.org/project/drupal/releases/9.2.6 [5] https://www.drupal.org/project/drupal/releases/9.1.13 [6] https://www.drupal.org/project/drupal/releases/8.9.19 [7] https://www.drupal.org/user/405824 [8] https://www.drupal.org/user/405824 [9] https://www.drupal.org/user/65776 [10] https://www.drupal.org/user/3366066 [11] https://www.drupal.org/user/2287430 [12] https://www.drupal.org/user/550110