Security advisories: Drupal core – Moderately critical – Access Bypass – SA-CORE-2021-010

Project: 
Date: 
2021-September-15
Vulnerability: 
Access Bypass
CVE IDs: 
CVE-2020-13677
Description: 
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.

Sites that do not have the JSON:API module enabled are not affected.

This advisory is not covered by Drupal Steward.

Solution: 
Install the latest version:

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core does not include the JSON:API module and therefore is not affected.

Reported By: 
Fixed By: 


Go to Source
Author: