Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081
  • Date: Wed, 19 Dec 2018 18:25:02 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2018-081

Project: JSON:API [1]
Date: 2018-December-19
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Description: 
This module provides a JSON:API specification-compliant HTTP API for
accessing and manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when responding to certain
filtered collection requests, thereby causing an access bypass vulnerability.

In order to fix this issue, two new hooks were added:
hook_jsonapi_ENTITY_TYPE_filter_access() and
hook_jsonapi_entity_field_filter_access(). Sites with custom entity types
and/or with entity or field access customizations may need to implement these
newly introduced hooks.

Solution: 
Install the latest version:

* If you use the JSON:API module 8.x-1.x for Drupal 8.x, upgrade to JSON API
8.x-1.24 [3]

Also see the JSON:API [4] project page.

Reported By: 
* Gabe Sullice [5]
* Lauri Eskola [6]

Fixed By: 
* Gabe Sullice [7]
* Wim Leers [8]
* Alex Bronstein [9] of the Drupal Security Team
* Tobias Zimmermann [10]
* Andrei Mateescu [11]
* Mateu Aguiló Bosch [12]
* Hristo Chonov [13]
* Daniel Wehner [14]
* Sascha Grossenbacher [15]
* Kristiaan Van den Eynde [16]
* Lee Rowlands [17] of the Drupal Security Team

Coordinated By: 
* Alex Bronstein [18] of the Drupal Security Team


[1] https://www.drupal.org/project/jsonapi
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3021532
[4] https://www.drupal.org/project/jsonapi
[5] https://www.drupal.org/user/2287430
[6] https://www.drupal.org/user/1078742
[7] https://www.drupal.org/user/2287430
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/78040
[10] https://www.drupal.org/user/107158
[11] https://www.drupal.org/user/729614
[12] https://www.drupal.org/user/550110
[13] https://www.drupal.org/user/2901211
[14] https://www.drupal.org/user/99340
[15] https://www.drupal.org/user/214652
[16] https://www.drupal.org/user/1345130
[17] https://www.drupal.org/user/395439
[18] https://www.drupal.org/user/78040

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081, security-news, 19.12.2018

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang