Fluid Attacks Database

Description

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/core	=8.0.0 \|\| =8.0.1 \|\| =8.0.2 \|\| =8.0.3 \|\| =8.0.4 \|\| =8.0.5 \|\| =8.0.6 \|\| =8.1.0 \|\| =8.1.0-beta1 \|\| =8.1.0-beta2 \|\| =8.1.0-rc1 \|\| =8.1.1 \|\| =8.1.10 \|\| =8.1.2 \|\| =8.1.3 \|\| =8.1.4 \|\| =8.1.5 \|\| =8.1.6 \|\| =8.1.7 \|\| =8.1.8 \|\| =8.1.9 \|\| =8.2.0 \|\| =8.2.0-beta1 \|\| =8.2.0-beta2 \|\| =8.2.0-beta3 \|\| =8.2.0-rc1 \|\| =8.2.0-rc2 \|\| =8.2.1 \|\| =8.2.2 \|\| =8.2.3 \|\| =8.2.4 \|\| =8.2.5 \|\| =8.2.6 \|\| =8.2.7 \|\| =8.2.8 \|\| =8.3.0 \|\| =8.3.0-alpha1 \|\| =8.3.0-beta1 \|\| =8.3.0-rc1 \|\| =8.3.0-rc2 \|\| =8.3.1 \|\| =8.3.2 \|\| =8.3.3 \|\| =8.3.4 \|\| =8.3.5 \|\| =8.3.6 \|\| =8.3.7 \|\| =8.3.8 \|\| =8.3.9 \|\| =8.4.0 \|\| =8.4.0-alpha1 \|\| =8.4.0-beta1 \|\| =8.4.0-rc1 \|\| =8.4.0-rc2 \|\| =8.4.1 \|\| =8.4.2 \|\| =8.4.3 \|\| =8.4.4 \|\| =8.4.5 \|\| =8.4.6 \|\| =8.4.7 \|\| =8.4.8 \|\| =8.5.0 \|\| =8.5.0-alpha1 \|\| =8.5.0-beta1 \|\| =8.5.0-rc1 \|\| =8.5.1 \|\| =8.5.10 \|\| =8.5.11 \|\| =8.5.12 \|\| =8.5.13 \|\| =8.5.14 \|\| =8.5.15 \|\| =8.5.2 \|\| =8.5.3 \|\| =8.5.4 \|\| =8.5.5 \|\| =8.5.6 \|\| =8.5.7 \|\| =8.5.8 \|\| =8.5.9 \|\| =8.6.0 \|\| =8.6.0-alpha1 \|\| =8.6.0-beta1 \|\| =8.6.0-beta2 \|\| =8.6.0-rc1 \|\| =8.6.1 \|\| =8.6.10 \|\| =8.6.11 \|\| =8.6.12 \|\| =8.6.13 \|\| =8.6.14 \|\| =8.6.15 \|\| =8.6.16 \|\| =8.6.17 \|\| =8.6.18 \|\| =8.6.2 \|\| =8.6.3 \|\| =8.6.4 \|\| =8.6.5 \|\| =8.6.6 \|\| =8.6.7 \|\| =8.6.8 \|\| =8.6.9 \|\| =8.7.0 \|\| =8.7.0-alpha1 \|\| =8.7.0-alpha2 \|\| =8.7.0-beta1 \|\| =8.7.0-beta2 \|\| =8.7.0-rc1 \|\| =8.7.1 \|\| =8.7.10 \|\| =8.7.11 \|\| =8.7.12 \|\| =8.7.13 \|\| =8.7.14 \|\| =8.7.2 \|\| =8.7.3 \|\| =8.7.4 \|\| =8.7.5 \|\| =8.7.6 \|\| =8.7.7 \|\| =8.7.8 \|\| =8.7.9 \|\| =8.8.0 \|\| =8.8.0-alpha1 \|\| =8.8.0-beta1 \|\| =8.8.0-rc1 \|\| =8.8.1 \|\| =8.8.2 \|\| =8.8.3 \|\| =8.8.4 \|\| =8.8.5 \|\| =8.8.6 \|\| =8.8.7 \|\| =8.9.0 \|\| =9.0.0 \|\| >=8.0.0 <8.8.8 \|\| >=8.9.0 <8.9.1 \|\| >=9.0.0 <9.0.1	8.8.8, 8.9.1, 9.0.1

Aliases

1. CVE-2020-136652. NVD-2020-136653. OSV-DRUPAL-CORE-2020-0064. OSV-2020-136655. GCVE-2020-13665

References

1. https://www.drupal.org/sa-core-2020-006

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.