CVE-2020-13665
published 2021-05-05CVE-2020-13665: Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under…
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.27%
66.3th percentile
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 8.0.0 < 8.8.8 | 8.8.8 |
| drupal | core | >= 8.8.0 < 8.8.8 | 8.8.8 |
| drupal | core | >= 8.9.0 < 8.9.1 | 8.9.1 |
| drupal | core | >= 9.0.0 < 9.0.1 | 9.0.1 |
| drupal | drupal | >= 8.8.0 < 8.8.8 | 8.8.8 |
| drupal | drupal | >= 8.8.0 < 8.8.8 | 8.8.8 |
| drupal | drupal | >= 8.9.0 < 8.9.1 | 8.9.1 |
| drupal | drupal | >= 8.9.0 < 8.9.1 | 8.9.1 |
| drupal | drupal | >= 9.0.0 < 9.0.1 | 9.0.1 |
| drupal | drupal | >= 9.0.0 < 9.0.1 | 9.0.1 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 8.8.x < 8.8.8 | 8.8.8 |
| drupal | drupal_core | >= 8.9.x < 8.9.1 | 8.9.1 |
| drupal | drupal_core | >= 9.0.x < 9.0.1 | 9.0.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal Core Access bypass vulnerability
osv·2022-05-24
CVE-2020-13665 [CRITICAL] Drupal Core Access bypass vulnerability
Drupal Core Access bypass vulnerability
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.
GHSA
Drupal Core Access bypass vulnerability
ghsa·2022-05-24
CVE-2020-13665 [CRITICAL] CWE-863 Drupal Core Access bypass vulnerability
Drupal Core Access bypass vulnerability
Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.
OSV
CVE-2020-13665: JSON:API PATCH requests may bypass validation for certain fields
osv·2020-06-17
CVE-2020-13665 CVE-2020-13665: JSON:API PATCH requests may bypass validation for certain fields
JSON:API PATCH requests may bypass validation for certain fields.
By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the `read_only` set to `FALSE` under `jsonapi.settings` config are vulnerable.
Drupal
Drupal core - Less critical - Access bypass - SA-CORE-2020-006
vendor_drupal·2020-06-17
CVE-2020-13665 [LOW] Drupal core - Less critical - Access bypass - SA-CORE-2020-006
Title: Drupal core - Less critical - Access bypass - SA-CORE-2020-006
Vulnerability Type: Access bypass
Description: JSON:API PATCH requests may bypass validation for certain fields. By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.
Solution: Install the latest version: If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 . If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 . If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-05-05
Published