Drupal core - Less critical - Access bypass - SA-CORE-2020-006

Project:

Drupal core

Date:

2020-June-17

Security risk:

Less critical 8∕25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon

Vulnerability:

Access bypass

CVE IDs:

CVE-2020-13665

Description:

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

Solution:

Install the latest version:

If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By:

Sergii Bondarenko

Fixed By:

Sergii Bondarenko
Wim Leers
Jess of the Drupal Security Team
Lee Rowlands of the Drupal Security Team

https://www.drupal.org/sa-core-2020-006