[IT-SecNots] [Security-news] JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2020-010

Project: JSON:API [1]
Version: 8.x-1.26
Date: 2020-April-15
Security risk: *Critical* 15∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Unsupported

Description: 
This module provides a JSON API standards-compliant API for accessing and
manipulating Drupal content and configuration entities.

The security team and module maintainers are marking this project
unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users
of either version are strongly encouraged to upgrade to a supported version
of Drupal core, which includes a supported version of JSON:API.

The eventual removal of security coverage for the JSON:API contributed module
was announced with the release of JSON:API 8.x-1.22 [3] on 28 June 2018.

Additionally, there is a known security issue with the 8.x-1.x branch of the
project that will not be fixed by the maintainers. That issue is not present
in the 8.x-2.x branch of the project, nor is it present in Drupal core.


Solution: 
Users of the module are encouraged to upgrade to a supported version of
Drupal core, which is distributed with a supported version of JSON:API.

If your site is currently using a release from the 8.x-1.x branch of the
module, you may be required to apply fixes for the breaking changes
documented here [4].

Also see the JSON:API [5] project page.

Reported By: 
  * Gabe Sullice  [6]
  * Alex Bronstein  [7]
  * Wim Leers  [8]
  * Mateu Aguiló Bosch  [9]

Fixed By: 
  * Gabe Sullice  [10]
  * Alex Bronstein  [11]
  * Wim Leers  [12]
  * Mateu Aguiló Bosch  [13]

Coordinated By: 
  * Greg Knaddison  [14] of the Drupal Security Team


[1] https://www.drupal.org/project/jsonapi
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/jsonapi/releases/8.x-1.22
[4] https://www.drupal.org/list-changes/jsonapi/published?to_branch=8.x-2.x
[5] https://www.drupal.org/project/jsonapi
[6] https://www.drupal.org/user/2287430
[7] https://www.drupal.org/user/78040
[8] https://www.drupal.org/user/99777
[9] https://www.drupal.org/user/550110
[10] https://www.drupal.org/user/2287430
[11] https://www.drupal.org/user/78040
[12] https://www.drupal.org/user/99777
[13] https://www.drupal.org/user/550110
[14] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news