Login Sign Up

CVE-2020-13665

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass access controls in Drupal Core's JSON:API module when configured in read/write mode. Attackers could potentially perform unauthorized operations like creating, updating, or deleting content. Only Drupal sites with JSON:API configured with read_only set to FALSE are affected.

💻 Affected Systems

Products:
  • Drupal Core
Versions: Drupal 8.8.x prior to 8.8.8, 8.9.x prior to 8.9.1, 9.0.x prior to 9.0.1
Operating Systems: All operating systems running Drupal
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when JSON:API module is enabled and configured with read_only set to FALSE in jsonapi.settings configuration.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise allowing attackers to modify any content, inject malicious code, or delete critical data through unauthorized API operations.

🟠

Likely Case

Unauthorized content manipulation, data corruption, or privilege escalation through the JSON:API endpoints.

🟢

If Mitigated

Limited impact with proper network segmentation and API monitoring, though access bypass could still occur.

🌐 Internet-Facing: HIGH - Drupal sites are typically internet-facing, and the vulnerability allows unauthenticated exploitation of API endpoints.
🏢 Internal Only: MEDIUM - Internal Drupal instances could still be exploited by internal attackers or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in access control logic, making exploitation straightforward once identified. Public advisories provide technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Drupal 8.8.8, 8.9.1, or 9.0.1

Vendor Advisory: https://www.drupal.org/sa-core-2020-006

Restart Required: No

Instructions:

1. Update Drupal Core to the patched version using Composer or Drupal's update mechanism. 2. Clear all caches. 3. Verify JSON:API functionality remains operational.

🔧 Temporary Workarounds

Disable JSON:API write mode

all

Set JSON:API to read-only mode to prevent write operations while maintaining read functionality.

drush config-set jsonapi.settings read_only true

Disable JSON:API module

all

Completely disable the JSON:API module if not required.

drush pm-uninstall jsonapi

🧯 If You Can't Patch

  • Implement strict network access controls to limit JSON:API endpoint exposure
  • Enable detailed logging of all JSON:API requests and monitor for unauthorized operations

🔍 How to Verify

Check if Vulnerable:

Check Drupal version and JSON:API configuration: drush status and drush config-get jsonapi.settings read_only

Check Version:

drush status | grep 'Drupal version'

Verify Fix Applied:

Confirm Drupal version is 8.8.8, 8.9.1, or 9.0.1 or higher using drush status

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST/PATCH/DELETE requests to /jsonapi endpoints
  • Failed access control checks in Drupal logs
  • Unexpected content modifications via API

Network Indicators:

  • Unusual traffic patterns to JSON:API endpoints
  • API requests from unexpected sources or user agents

SIEM Query:

source="drupal.log" AND ("jsonapi" AND ("POST" OR "PATCH" OR "DELETE")) AND NOT user="authenticated"

📊 Metadata

CVE ID: CVE-2020-13665
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON