View online: https://www.drupal.org/sa-core-2020-006

Project: Drupal core [1]
Date: 2020-June-17
Security risk: *Less critical* 8∕25
AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

CVE IDs: CVE-2020-13665
Description: 
JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to
exploit the vulnerability. Only sites that have the read_only set to FALSE
under jsonapi.settings config are vulnerable.

Solution: 
Install the latest version:

* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3].
* If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4].
* If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5].

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

Reported By: 
* Sergii Bondarenko [6]

Fixed By: 
* Sergii Bondarenko [7]
* Wim Leers [8]
* Jess [9] of the Drupal Security Team
* Lee Rowlands [10] of the Drupal Security Team

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/8.8.8
[4] https://www.drupal.org/project/drupal/releases/8.9.1
[5] https://www.drupal.org/project/drupal/releases/9.0.1
[6] https://www.drupal.org/user/2802285
[7] https://www.drupal.org/user/2802285
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/65776
[10] https://www.drupal.org/user/395439

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news