[IT-SecNots] [Security-news] JSON API - Moderately critical - Access Bypass - SA-CONTRIB-2018-016

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-016

Project: JSON API [1]
Version: 8.x-1.x-dev
Date: 2018-March-21
Security risk: *Moderately critical* 11∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access Bypass

Description: 
This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when viewing related resources
or relationships, thereby causing an access bypass vulnerability.

This vulnerability is mitigated by the fact that an attacker must be allowed
to view the related data, otherwise all they can glean is an entity type UUID
and a UUID, which are meaningless by themselves.

Solution: 
Install the latest version:

  * If you use the JSON API module for Drupal 8.x, upgrade to JSON API
    8.x-1.14 [3]

Reported By: 
  * Gabe Sullice  [4]

Fixed By: 
  * Wim Leers  [5]
  * Mateu Aguiló Bosch  [6]

Coordinated By: 
  * Michael Hess  [7] Of the Drupal Security Team


[1] https://www.drupal.org/project/jsonapi
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/jsonapi/releases/8.x-1.14
[4] https://www.drupal.org/user/2287430
[5] https://www.drupal.org/user/99777
[6] https://www.drupal.org/user/550110
[7] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news