Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022

Project:

REST & JSON API Authentication for Drupal

Date:

2024-May-29

Security risk:

Moderately critical 11 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All

Vulnerability:

Access bypass

Affected versions:

<2.0.13

CVE IDs:

CVE-2024-13258

Description:

Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider Authentication, etc.

The module doesn't sufficiently control user access when using Basic Authentication.

Solution:

Install the latest version:

If you use the 2.0.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13
If you use the 8.x-1.x branch, upgrade to Drupal REST & JSON API Authentication 2.0.13, as the 8.x-1.x branch is now unsupported.

Reported By:

Arek Suchecki

Fixed By:

solideogloria
Shashank Thigale
Arek Suchecki
Greg Knaddison of the Drupal Security Team

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team
David Rothstein of the Drupal Security Team
Michael Hess of the Drupal Security Team

Contribution record

Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community