CVE-2020-13675 — CRITICAL (9.8)

Q: How severe is CVE-2020-13675?

CVE-2020-13675 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-13675?

Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal.

Vulnerability Description

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Drupal	Drupal	>= 8.0.0, < 8.9.19

Related Weaknesses (CWE)

CWE-434 CWE-284

References

https://www.drupal.org/sa-core-2021-008MitigationPatchVendor Advisory
https://www.drupal.org/sa-core-2021-008MitigationPatchVendor Advisory

FAQ

What is CVE-2020-13675?

CVE-2020-13675 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might...

How severe is CVE-2020-13675?

CVE-2020-13675 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-13675?

Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal.