Base Score

HIGH7.5

CVE-2020-13677

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.

VectorNETWORK

Published Bymlhess@drupal.org

Published DateFeb 11, 2022, 16:15

Affected Versions(3)

drupal/core(Packagist)

Introduced8.0.0

Fixed8.9.19

LimitN/A

drupal/core(Packagist)

Introduced9.1.0

Fixed9.1.13

LimitN/A

drupal/core(Packagist)

Introduced9.2.0

Fixed9.2.6

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
drupal/core(Packagist)	8.0.0	8.9.19	N/A
drupal/core(Packagist)	9.1.0	9.1.13	N/A
drupal/core(Packagist)	9.2.0	9.2.6	N/A

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

https://www.drupal.org/sa-core-2021-010

Base Score

HIGH7.5

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE