[Security-news] Drupal core - Less critical - Access bypass - SA-CORE-2020-006
security-news at drupal.org
security-news at drupal.org
Wed Jun 17 18:51:41 UTC 2020
View online: https://www.drupal.org/sa-core-2020-006
Project: Drupal core [1]
Date: 2020-June-17
Security risk: *Less critical* 8∕25
AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
CVE IDs: CVE-2020-13665
Description:
JSON:API PATCH requests may bypass validation for certain fields.
By default, JSON:API works in a read-only mode which makes it impossible to
exploit the vulnerability. Only sites that have the read_only set to FALSE
under jsonapi.settings config are vulnerable.
Solution:
Install the latest version:
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5].
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.8.
Reported By:
* Sergii Bondarenko [6]
Fixed By:
* Sergii Bondarenko [7]
* Wim Leers [8]
* Jess [9] of the Drupal Security Team
* Lee Rowlands [10] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.8
[4] https://www.drupal.org/project/drupal/releases/8.9.1
[5] https://www.drupal.org/project/drupal/releases/9.0.1
[6] https://www.drupal.org/user/2802285
[7] https://www.drupal.org/user/2802285
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/395439
More information about the Security-news
mailing list