DRUPAL-CONTRIB-2018-015

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jsonapi/DRUPAL-CONTRIB-2018-015.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2018-015
Published
2018-02-21T20:12:22Z
Modified
2025-12-10T23:32:56.384342Z
Summary
[none]
Details

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

  • The module doesn't sufficiently associate cacheability metadata in certain situations thereby causing an access bypass vulnerability.

    This vulnerability is mitigated by the fact that an attacker cannot trigger an exploitable situation themselves.

  • The module doesn't sufficiently check access in certain situations.

    This vulnerability is mitigated by the fact that an attacker must have permission to create entities of certain content entity types.

Update: This is fixed in 8.x-1.10 not 8.x-1.9

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/jsonapi

Package

Name
drupal/jsonapi
Purl
pkg:composer/drupal/jsonapi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.0
Database specific 
{
    "constraint": "<1.10.0"
}

Database specific

affected_versions 
"<1.10.0"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jsonapi/DRUPAL-CONTRIB-2018-015.json"