DRUPAL-CORE-2020-006

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2020-006.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CORE-2020-006

Aliases

CVE-2020-13665

Published

2020-06-17T18:10:58Z

Modified

2025-12-10T23:41:31.784611Z

Summary

[none]

Details

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.

References

https://www.drupal.org/sa-core-2020-006

Credits

- Sergii Bondarenko
- - https://www.drupal.org/user/2802285

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type

ECOSYSTEM

Events

Introduced

8.0.0

Fixed

8.8.8

Database specific

{
    "constraint": ">= 8.0.0 <8.8.8"
}

Type

ECOSYSTEM

Events

Introduced

8.9.0

Fixed

8.9.1

Database specific

{
    "constraint": ">= 8.9.0 <8.9.1"
}

Type

ECOSYSTEM

Events

Introduced

9.0.0

Fixed

9.0.1

Database specific

{
    "constraint": ">=9.0.0 <9.0.1"
}

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

8.4.7

8.4.8

8.5.0-alpha1

8.5.0-beta1

8.5.0-rc1

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.6.0-alpha1

8.6.0-beta1

8.6.0-beta2

8.6.0-rc1

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.6.5

8.6.6

8.6.7

8.6.8

8.6.9

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.7.0-alpha1

8.7.0-alpha2

8.7.0-beta1

8.7.0-beta2

8.7.0-rc1

8.7.0

8.7.1

8.7.2

8.7.3

8.7.4

8.7.5

8.7.6

8.7.7

8.7.8

8.7.9

8.7.10

8.7.11

8.7.12

8.7.13

8.7.14

8.8.0-alpha1

8.8.0-beta1

8.8.0-rc1

8.8.0

8.8.1

8.8.2

8.8.3

8.8.4

8.8.5

8.8.6

8.8.7

8.9.0

9.*

9.0.0

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2020-006.json"

affected_versions

">= 8.0.0 <8.8.8 || >= 8.9.0 <8.9.1 || >=9.0.0 <9.0.1"