CVE-2020-13677 — Improper Access Control in Drupal Core

CWE-284 — Improper Access Control CWE-863 — Incorrect Authorization7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 58.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal

Timeline

PublishedFeb 11

Latest updateFeb 12

Description

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5drupal/core9.2.x — 9.2.6+2

▶Packagistdrupal/core8.0.0 — 8.9.19+2

▶NVDdrupal/drupal8.0.0 — 8.9.19+2

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

GHSA

Drupal core access bypass vulnerability↗2022-02-12

▶

OSV

Drupal core access bypass vulnerability↗2022-02-12

▶

OSV

CVE-2020-13677: Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access↗2022-02-11

▶

CVEList

CVE-2020-13677: Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access↗2022-02-11

▶

OSV

CVE-2020-13677: Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access↗2021-09-15

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010↗2021-09-15

▶