[Security-news] JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081
security-news at drupal.org
security-news at drupal.org
Wed Dec 19 18:25:02 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-081
Project: JSON:API [1]
Date: 2018-December-19
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
This module provides a JSON:API specification-compliant HTTP API for
accessing and manipulating Drupal content and configuration entities.
The module doesn't sufficiently check access when responding to certain
filtered collection requests, thereby causing an access bypass vulnerability.
In order to fix this issue, two new hooks were added:
hook_jsonapi_ENTITY_TYPE_filter_access() and
hook_jsonapi_entity_field_filter_access(). Sites with custom entity types
and/or with entity or field access customizations may need to implement these
newly introduced hooks.
Solution:
Install the latest version:
* If you use the JSON:API module 8.x-1.x for Drupal 8.x, upgrade to JSON
API
8.x-1.24 [3]
Also see the JSON:API [4] project page.
Reported By:
* Gabe Sullice [5]
* Lauri Eskola [6]
Fixed By:
* Gabe Sullice [7]
* Wim Leers [8]
* Alex Bronstein [9] of the Drupal Security Team
* Tobias Zimmermann [10]
* Andrei Mateescu [11]
* Mateu Aguiló Bosch [12]
* Hristo Chonov [13]
* Daniel Wehner [14]
* Sascha Grossenbacher [15]
* Kristiaan Van den Eynde [16]
* Lee Rowlands [17] of the Drupal Security Team
Coordinated By:
* Alex Bronstein [18] of the Drupal Security Team
[1] https://www.drupal.org/project/jsonapi
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3021532
[4] https://www.drupal.org/project/jsonapi
[5] https://www.drupal.org/user/2287430
[6] https://www.drupal.org/user/1078742
[7] https://www.drupal.org/user/2287430
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/78040
[10] https://www.drupal.org/user/107158
[11] https://www.drupal.org/user/729614
[12] https://www.drupal.org/user/550110
[13] https://www.drupal.org/user/2901211
[14] https://www.drupal.org/user/99340
[15] https://www.drupal.org/user/214652
[16] https://www.drupal.org/user/1345130
[17] https://www.drupal.org/user/395439
[18] https://www.drupal.org/user/78040
More information about the Security-news
mailing list