[Security-news] JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081

security-news at drupal.org security-news at drupal.org
Wed Dec 19 18:25:02 UTC 2018


View online: https://www.drupal.org/sa-contrib-2018-081

Project: JSON:API [1]
Date: 2018-December-19
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module provides a JSON:API specification-compliant HTTP API for
accessing and manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when responding to certain
filtered collection requests, thereby causing an access bypass vulnerability.

In order to fix this issue, two new hooks were added:
hook_jsonapi_ENTITY_TYPE_filter_access() and
hook_jsonapi_entity_field_filter_access(). Sites with custom entity types
and/or with entity or field access customizations may need to implement these
newly introduced hooks.

Solution: 
Install the latest version:

   * If you use the JSON:API module 8.x-1.x for Drupal 8.x, upgrade to JSON 
API
     8.x-1.24 [3]

Also see the JSON:API [4] project page.

Reported By: 
   * Gabe Sullice  [5]
   * Lauri Eskola  [6]

Fixed By: 
   * Gabe Sullice  [7]
   * Wim Leers  [8]
   * Alex Bronstein  [9] of the Drupal Security Team
   * Tobias Zimmermann  [10]
   * Andrei Mateescu  [11]
   * Mateu Aguiló Bosch  [12]
   * Hristo Chonov  [13]
   * Daniel Wehner  [14]
   * Sascha Grossenbacher  [15]
   * Kristiaan Van den Eynde  [16]
   * Lee Rowlands  [17] of the Drupal Security Team

Coordinated By: 
   * Alex Bronstein  [18] of the Drupal Security Team


[1] https://www.drupal.org/project/jsonapi
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3021532
[4] https://www.drupal.org/project/jsonapi
[5] https://www.drupal.org/user/2287430
[6] https://www.drupal.org/user/1078742
[7] https://www.drupal.org/user/2287430
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/78040
[10] https://www.drupal.org/user/107158
[11] https://www.drupal.org/user/729614
[12] https://www.drupal.org/user/550110
[13] https://www.drupal.org/user/2901211
[14] https://www.drupal.org/user/99340
[15] https://www.drupal.org/user/214652
[16] https://www.drupal.org/user/1345130
[17] https://www.drupal.org/user/395439
[18] https://www.drupal.org/user/78040



More information about the Security-news mailing list