Fluid Attacks Database

Description

Drupal Core Access bypass vulnerability Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/core-recommended	>=8.8.0 <8.8.8 \|\| >=8.9.0 <8.9.1 \|\| >=9.0.0 <9.0.1	8.8.8, 8.9.1, 9.0.1
packagist	drupal/core	>=8.8.0 <8.8.8 \|\| >=8.9.0 <8.9.1 \|\| >=9.0.0 <9.0.1	8.8.8, 8.9.1, 9.0.1
packagist	drupal/drupal	>=8.8.0 <8.8.8 \|\| >=8.9.0 <8.9.1 \|\| >=9.0.0 <9.0.1	8.8.8, 8.9.1, 9.0.1

Aliases

1. CVE-2020-136652. NVD-2020-136653. OSV-2020-136654. GCVE-2020-13665

References

1. https://www.drupal.org/sa-core-2020-0062. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13665.yaml3. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13665.yaml