JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081

Project: JSON:APIDate: 2018-December-19Security risk: Moderately critical 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: This module provides a JSON:API specification-compliant HTTP API for accessing and manipulating Drupal content and configuration entities.
The module doesn't sufficiently check access when responding to certain filtered collection requests, thereby causing an access bypass vulnerability.
In order to fix this issue, two new hooks were added: hook_jsonapi_ENTITY_TYPE_filter_access() and hook_jsonapi_entity_field_filter_access(). Sites with custom entity types and/or with entity or field access customizations may need to implement these newly introduced hooks.Solution: Install the latest version:

Also see the JSON:API project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2018-081