CVE-2020-13675 – CVE-2020-13675 is a critical access bypass vuln... (How to Fix)

Q: What is the severity of CVE-2020-13675?

CVE-2020-13675 has a CVSS score of 9.8 (CRITICAL). CVE-2020-13675 is a critical access bypass vulnerability in Drupal's JSON:API and REST/File modules that allows attackers to upload files without proper validation. This affects Drupal sites using these modules, potentially enabling malicious file uploads that could lead to remote code execution. All Drupal administrators should treat this as a high-priority security issue.

📋 TL;DR

CVE-2020-13675 is a critical access bypass vulnerability in Drupal's JSON:API and REST/File modules that allows attackers to upload files without proper validation. This affects Drupal sites using these modules, potentially enabling malicious file uploads that could lead to remote code execution. All Drupal administrators should treat this as a high-priority security issue.

💻 Affected Systems

Products:

Drupal Core

Versions: Drupal 8.8.x before 8.8.11, Drupal 8.9.x before 8.9.9, Drupal 9.0.x before 9.0.9

Operating Systems: All operating systems running Drupal

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects sites with JSON:API module (enabled by default in Drupal 8/9) or REST/File module enabled

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and persistent backdoor installation

🟠

Likely Case

Malicious file upload enabling web shell deployment, privilege escalation, and lateral movement within the environment

🟢

If Mitigated

File upload attempts logged and blocked, with no successful exploitation due to proper validation controls

🌐 Internet-Facing: HIGH - Drupal sites are typically internet-facing and the vulnerability requires no authentication

🏢 Internal Only: MEDIUM - Internal Drupal instances could still be exploited by authenticated users or through other attack vectors

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attackers can upload malicious files without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Drupal 8.8.11, 8.9.9, 9.0.9 or later

Vendor Advisory: https://www.drupal.org/sa-core-2021-008

Restart Required: No

Instructions:

1. Backup your Drupal site and database. 2. Update Drupal core to the patched version using Composer: 'composer update drupal/core --with-dependencies'. 3. Run database updates: 'drush updatedb' or via admin interface. 4. Clear all caches: 'drush cr' or via admin interface.

🔧 Temporary Workarounds

Disable vulnerable modules

all

Temporarily disable JSON:API and REST/File modules until patching is possible

drush pm:uninstall jsonapi
drush pm:uninstall rest

Implement file upload restrictions

linux

Configure web server to block file uploads to vulnerable endpoints

# Apache: Add to .htaccess
<LocationMatch "\/jsonapi\/file\/upload">
    Deny from all
</LocationMatch>
# Nginx: Add to server block
location ~* \/jsonapi\/file\/upload {
    deny all;
}

🧯 If You Can't Patch

Disable JSON:API and REST/File modules immediately
Implement strict WAF rules to block file uploads to /jsonapi/file/upload endpoints

🔍 How to Verify

Check if Vulnerable:

Check Drupal version: 'drush status' or navigate to /admin/reports/status. If version is 8.8.x < 8.8.11, 8.9.x < 8.9.9, or 9.0.x < 9.0.9, you are vulnerable.

Check Version:

drush status | grep 'Drupal version' or check /admin/reports/status in browser

Verify Fix Applied:

Confirm Drupal version is 8.8.11+, 8.9.9+, or 9.0.9+ and test file upload functionality through JSON:API endpoints

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /jsonapi/file/upload endpoints
Multiple failed file upload attempts with unusual extensions
POST requests to JSON:API with file upload parameters

Network Indicators:

HTTP POST requests to /jsonapi/file/upload with file content
Unusual traffic patterns to Drupal file upload endpoints

SIEM Query:

source="drupal_access.log" AND (uri_path="/jsonapi/file/upload" OR uri_path="/file/upload/rest") AND http_method="POST"

📊 Metadata

CVE ID: CVE-2020-13675

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: February 11, 2022

Last Updated: November 21, 2024

🔗 References

https://www.drupal.org/sa-core-2021-008 Mitigation,Patch,Vendor Advisory
https://www.drupal.org/sa-core-2021-008 Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13675, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Drupal by Drupal

Drupal by Drupal

Drupal by Drupal

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable vulnerable modules

Implement file upload restrictions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities