CVE-2020-13675

CRITICAL9.8EPSS 0.80%

Unrestricted Upload of File with Dangerous Type in Drupal core

發布日:2021/9/15修改日:2025/12/10

也稱為:GHSA-v8wr-r69p-mmwxBIT-drupal-2020-13675DRUPAL-CONTRIB-2021-029DRUPAL-CORE-2021-008

描述

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

受影響套件(4)

Bitnami/drupal>= 8.0.0, < 8.9.19, >= 9.1.0, < 9.1.13, >= 9.2.0, < 9.2.6
Packagist/drupal/core>= 8.0.0, < 8.9.19 | >= 9.1.0, < 9.1.13 | >= 9.2.0, < 9.2.6
Packagist/drupal/core>= 8.0.0, < 8.9.19
Packagist/drupal/graphql>= 4.0.0, < 4.2.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13675
PATCHhttps://github.com/drupal/core
WEBhttps://www.drupal.org/sa-contrib-2021-029
WEBhttps://www.drupal.org/sa-core-2021-008