[Security-news] JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010
security-news at drupal.org
security-news at drupal.org
Wed Apr 15 16:11:05 UTC 2020
View online: https://www.drupal.org/sa-contrib-2020-010
Project: JSON:API [1]
Version: 8.x-1.26
Date: 2020-April-15
Security risk: *Critical* 15∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Unsupported
Description:
This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.
The security team and module maintainers are marking this project
unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users
of either version are strongly encouraged to upgrade to a supported version
of Drupal core, which includes a supported version of JSON:API.
The eventual removal of security coverage for the JSON:API contributed module
was announced with the release of JSON:API 8.x-1.22 [3] on 28 June 2018.
Additionally, there is a known security issue with the 8.x-1.x branch of the
project that will not be fixed by the maintainers. That issue is not present
in the 8.x-2.x branch of the project, nor is it present in Drupal core.
Solution:
Users of the module are encouraged to upgrade to a supported version of
Drupal core, which is distributed with a supported version of JSON:API.
If your site is currently using a release from the 8.x-1.x branch of the
module, you may be required to apply fixes for the breaking changes
documented here [4].
Also see the JSON:API [5] project page.
Reported By:
* Gabe Sullice [6]
* Alex Bronstein [7]
* Wim Leers [8]
* Mateu Aguiló Bosch [9]
Fixed By:
* Gabe Sullice [10]
* Alex Bronstein [11]
* Wim Leers [12]
* Mateu Aguiló Bosch [13]
Coordinated By:
* Greg Knaddison [14] of the Drupal Security Team
[1] https://www.drupal.org/project/jsonapi
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/jsonapi/releases/8.x-1.22
[4] https://www.drupal.org/list-changes/jsonapi/published?to_branch=8.x-2.x
[5] https://www.drupal.org/project/jsonapi
[6] https://www.drupal.org/user/2287430
[7] https://www.drupal.org/user/78040
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/550110
[10] https://www.drupal.org/user/2287430
[11] https://www.drupal.org/user/78040
[12] https://www.drupal.org/user/99777
[13] https://www.drupal.org/user/550110
[14] https://www.drupal.org/user/36762
More information about the Security-news
mailing list