====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN425
_____________________________________________________________________

DATE                : 27/12/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running JSON API for Drupal versions
                               8.x-1.x prior to 8.x-1.24.

=====================================================================
https://www.drupal.org/sa-contrib-2018-081
_____________________________________________________________________

JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081

Project: JSON:API
Date: 2018-December-19
Security risk: Moderately critical 13/25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All
Vulnerability: Access bypass

Description:

This module provides a JSON:API specification-compliant HTTP API for
accessing and manipulating Drupal content and configuration entities.

The module doesn't sufficiently check access when responding to certain
filtered collection requests, thereby causing an access bypass
vulnerability.

In order to fix this issue, two new hooks were added:
hook_jsonapi_ENTITY_TYPE_filter_access() and
hook_jsonapi_entity_field_filter_access(). Sites with custom entity
types and/or with entity or field access customizations may need to
implement these newly introduced hooks.


Solution:

Install the latest version:

    If you use the JSON:API module 8.x-1.x for Drupal 8.x, upgrade to
JSON API

Also see the JSON:API project page.


Reported By:

    Gabe Sullice
    Lauri Eskola


Fixed By:

    Gabe Sullice
    Wim Leers
    Alex Bronstein of the Drupal Security Team
    Tobias Zimmermann
    Andrei Mateescu
    Mateu Aguilo Bosch
    Hristo Chonov
    Daniel Wehner
    Sascha Grossenbacher
    Kristiaan Van den Eynde
    Lee Rowlands of the Drupal Security Team


Coordinated By:

    Alex Bronstein of the Drupal Security Team

===============================================================
+ CERT-RENATER               | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel         | fax : 01-53-94-20-41           +
+ 75013 Paris                | email: cert@support.renater.fr +
===============================================================