[Security-news] Drupal core - Less critical - Access bypass - SA-CORE-2020-006

security-news at drupal.org security-news at drupal.org
Wed Jun 17 18:51:41 UTC 2020


View online: https://www.drupal.org/sa-core-2020-006

Project: Drupal core [1]
Date: 2020-June-17
Security risk: *Less critical* 8∕25
AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

CVE IDs: CVE-2020-13665
Description: 
JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to
exploit the vulnerability. Only sites that have the read_only set to FALSE
under jsonapi.settings config are vulnerable.

Solution: 
Install the latest version:

   * If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3].
   * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4].
   * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5].

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By: 
   * Sergii Bondarenko  [6]

Fixed By: 
   * Sergii Bondarenko  [7]
   * Wim Leers  [8]
   * Jess   [9] of the Drupal Security Team
   * Lee Rowlands  [10] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.8
[4] https://www.drupal.org/project/drupal/releases/8.9.1
[5] https://www.drupal.org/project/drupal/releases/9.0.1
[6] https://www.drupal.org/user/2802285
[7] https://www.drupal.org/user/2802285
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/395439



More information about the Security-news mailing list