Lucene search

GoogleOSV:BIT-DRUPAL-2020-13665

HistoryMar 06, 2024 - 10:58 a.m.

BIT-drupal-2020-13665

2024-03-0610:58:25

Google

osv.dev

drupal

json:api

access bypass

vulnerability

read/write mode

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

70.1%

JSON

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.

CPENameOperatorVersion
drupalge9.0.0
drupalge8.8.0
drupallt8.8.8
drupallt9.0.1
drupallt8.9.1
drupalge8.9.0

Name	Operator	Version
drupal	ge	9.0.0
drupal	ge	8.8.0
drupal	lt	8.8.8
drupal	lt	9.0.1
drupal	lt	8.9.1
drupal	ge	8.9.0

References

www.drupal.org/sa-core-2020-006

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

70.1%

JSON

Related for OSV:BIT-DRUPAL-2020-13665