DRUPAL-CONTRIB-2018-081

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jsonapi/DRUPAL-CONTRIB-2018-081.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2018-081

Published

2018-12-19T17:53:49Z

Modified

2025-12-10T23:32:56.384831Z

Summary

[none]

Details

This module provides a JSON:API specification-compliant HTTP API for accessing and manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when responding to certain filtered collection requests, thereby causing an access bypass vulnerability. (This means certain GET requests are vulnerable; no POST, PATCH or DELETE requests are vulnerable.)

In order to fix this issue, two new hooks were added: hook_jsonapi_ENTITY_TYPE_filter_access() and hook_jsonapi_entity_field_filter_access(). Sites with custom entity types and/or with entity or field access customizations may need to implement these newly introduced hooks.

References

https://www.drupal.org/sa-contrib-2018-081

Credits

- Gabe Sullice
- - https://www.drupal.org/user/2287430
- Lauri Eskola
- - https://www.drupal.org/user/1078742

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/jsonapi

Package

Name: drupal/jsonapi
Purl: pkg:composer/drupal/jsonapi

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.24.0

Database specific

{
    "constraint": "<1.24.0"
}

Database specific

affected_versions

"<1.24.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jsonapi/DRUPAL-CONTRIB-2018-081.json"