JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010 - Security-news

15 Apr 2020


      View online: https://www.drupal.org/sa-contrib-2020-010
Project: JSON:API [1]
Version: 8.x-1.26
Date: 2020-April-15
Security risk: *Critical* 15∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Unsupported
Description: 
This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.
The security team and module maintainers are marking this project
unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users
of either version are strongly encouraged to upgrade to a supported version
of Drupal core, which includes a supported version of JSON:API.
The eventual removal of security coverage for the JSON:API contributed module
was announced with the release of JSON:API 8.x-1.22 [3] on 28 June 2018.
Additionally, there is a known security issue with the 8.x-1.x branch of the
project that will not be fixed by the maintainers. That issue is not present
in the 8.x-2.x branch of the project, nor is it present in Drupal core.
Solution: 
Users of the module are encouraged to upgrade to a supported version of
Drupal core, which is distributed with a supported version of JSON:API.
If your site is currently using a release from the 8.x-1.x branch of the
module, you may be required to apply fixes for the breaking changes
documented here [4].
Also see the JSON:API [5] project page.
Reported By: 
   * Gabe Sullice  [6]
   * Alex Bronstein  [7]
   * Wim Leers  [8]
   * Mateu Aguiló Bosch  [9]
Fixed By: 
   * Gabe Sullice  [10]
   * Alex Bronstein  [11]
   * Wim Leers  [12]
   * Mateu Aguiló Bosch  [13]
Coordinated By: 
   * Greg Knaddison  [14] of the Drupal Security Team
[1] https://www.drupal.org/project/jsonapi
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/jsonapi/releases/8.x-1.22
[4] https://www.drupal.org/list-changes/jsonapi/published?to_branch=8.x-2.x
[5] https://www.drupal.org/project/jsonapi
[6] https://www.drupal.org/user/2287430
[7] https://www.drupal.org/user/78040
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/550110
[10] https://www.drupal.org/user/2287430
[11] https://www.drupal.org/user/78040
[12] https://www.drupal.org/user/99777
[13] https://www.drupal.org/user/550110
[14] https://www.drupal.org/user/36762