Access Control Vulnerability in Drupal Core JSON:API by Drupal
CVE-2020-13677

7.5HIGH

Key Information:

Vendor: Drupal
Status: Core
Vendor: CVE Published:; 11 February 2022

What is CVE-2020-13677?

The Drupal Core JSON:API module has a vulnerability where it fails to adequately restrict access to certain content under specific conditions. This flaw could allow unauthorized users to bypass access controls and gain access to restricted content. Only sites with the JSON:API module enabled are at risk. To assure the security of your Drupal site, it is critical to review the module's permissions and take necessary updates as advised by security advisories.

Affected Version(s)

Core 9.2.x < 9.2.6

Core 9.1.x < 9.1.13

Core 8.9.x < 8.9.19

References

https://www.drupal.org/sa-core-2021-010

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2022
Vulnerability Reserved
May 28, 2020