Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-September-15
Vulnerability:
Access Bypass
Affected versions:
>= 8.0.0 <8.9.19 || >= 9.1.0 <9.1.13 || >=9.2.0 <9.2.6
CVE IDs:
CVE-2020-13677
Description:
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.
Sites that do not have the JSON:API module enabled are not affected.
This advisory is not covered by Drupal Steward.
Solution:
Install the latest version:
- If you are using Drupal 9.2, update to Drupal 9.2.6.
- If you are using Drupal 9.1, update to Drupal 9.1.13.
- If you are using Drupal 8.9, update to Drupal 8.9.19.
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.
Drupal 7 core does not include the JSON:API module and therefore is not affected.
Reported By:
Fixed By:
- Brad Jones
- xjm of the Drupal Security Team
- Björn Brala
- Gabe Sullice
- Mateu Aguiló Bosch
