CVE-2020-13665 : What You Need to Know

Drupal Core versions 8.8.x prior to 8.8.8, 8.9.x prior to 8.9.1, and 9.0.x prior to 9.0.1 are affected by an access bypass vulnerability when JSON:API is in read/write mode.

Understanding CVE-2020-13665

This CVE identifies an access bypass vulnerability in Drupal Core that can be exploited when JSON:API is in read/write mode.

What is CVE-2020-13665?

The vulnerability allows JSON:API access when set to read/write mode, affecting sites with read_only set to FALSE under jsonapi.settings config.

The Impact of CVE-2020-13665

This vulnerability can be exploited to bypass access controls, potentially leading to unauthorized access to sensitive information.

Technical Details of CVE-2020-13665

Drupal Core versions 8.8.x, 8.9.x, and 9.0.x are affected by this vulnerability.

Vulnerability Description

The issue lies in the JSON:API functionality of Drupal Core, specifically when set to read/write mode, allowing unauthorized access.

Affected Systems and Versions

Drupal Core 8.8.x versions prior to 8.8.8
Drupal Core 8.9.x versions prior to 8.9.1
Drupal Core 9.0.x versions prior to 9.0.1

Exploitation Mechanism

Attackers can exploit this vulnerability by manipulating JSON:API settings to gain unauthorized access to sensitive data.

Mitigation and Prevention

It is crucial to take immediate steps to secure systems and implement long-term security practices.

Immediate Steps to Take

Update Drupal Core to versions 8.8.8, 8.9.1, or 9.0.1 to mitigate the vulnerability.
Ensure that the read_only setting is correctly configured in the jsonapi.settings file.

Long-Term Security Practices

Regularly monitor and update Drupal Core and its modules to address security vulnerabilities.
Implement strong access controls and regularly review configuration settings.
Conduct security audits to identify and address any potential vulnerabilities.

Patching and Updates

Apply the latest security patches provided by Drupal to address the access bypass vulnerability in affected versions.