CVE-2020-13677

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-13677
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13677.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-13677
Aliases
Downstream
Published
2022-02-11T16:15:08.487Z
Modified
2026-05-18T21:34:29.424026Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type
GIT
Repo
https://github.com/drupal/drupal
Events
Introduced
35c2f3ca5c935f3d8bde15932a712677c9bbd50f
Fixed
ff4f28f15d717b1ba39867f1550a248d1a915928
Introduced
5c6f14f762c9aef87cd2731818386f202ee8463c
Fixed
bdafd0207e0b6d78baa13ac181d9b74ba5e806cd
Introduced
943ecef3c0bc9822338252a7df6419aeb9253c9d
Fixed
4d4e64ff19e7fefad760f223bdb8cf36db9db43e
Database specific 
{
    "cpe": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.9.19"
        },
        {
            "introduced": "9.1.0"
        },
        {
            "fixed": "9.1.13"
        },
        {
            "introduced": "9.2.0"
        },
        {
            "fixed": "9.2.6"
        }
    ]
}

Affected versions

8.*
8.0.0
8.1.0-beta1
8.9.0
8.9.0-beta1
8.9.0-beta2
8.9.0-beta3
8.9.0-rc1
8.9.11
8.9.12
8.9.15
8.9.16
8.9.17
8.9.18
8.9.2
8.9.3
8.9.4
8.9.5
8.9.8
9.*
9.1.0
9.1.1
9.1.10
9.1.11
9.1.12
9.1.2
9.1.4
9.1.5
9.1.6
9.1.8
9.2.0
9.2.1
9.2.3
9.2.5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13677.json"