{"id":"DRUPAL-CONTRIB-2018-016","details":"This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.\n\nThe module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability.\n\nThis vulnerability is mitigated by the fact that an attacker must be allowed to view the related data, otherwise all they can glean is an entity type UUID and a UUID, which are meaningless by themselves.","modified":"2025-12-10T23:32:53.917080Z","published":"2018-03-21T16:59:32Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2018-016"}],"affected":[{"package":{"name":"drupal/jsonapi","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/jsonapi"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.14.0"}],"database_specific":{"constraint":"\u003c1.14.0"}}],"database_specific":{"affected_versions":"\u003c1.14.0","source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jsonapi/DRUPAL-CONTRIB-2018-016.json"}}],"schema_version":"1.7.3","credits":[{"name":"Gabe Sullice","contact":["https://www.drupal.org/user/2287430"]}]}