JSON:API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

Project:

JSON:API

Date:

2018-April-25

Security risk:

Moderately critical 11 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon

Vulnerability:

Cross Site Request Forgery

Affected versions:

<1.16.0

Description:

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.

This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.

Solution:

Install the latest version:

If you use the JSON API module for Drupal 8.x, upgrade to 8.x-1.16

Reported By:

Mateu Aguiló Bosch (e0ipso)

Fixed By:

Mateu Aguiló Bosch (e0ipso)
Wim Leers
Daniel Wehner (dawehner)
Gabe Sullice

Coordinated By:

Michael Hess of the Drupal Security Team

Contribution record

JSON:API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community