+ "details": "[SA-CORE-2019-003](https://www.drupal.org/sa-core-2019-003) added protection for fields that store serialized data to disallow direct writes via web services.\n\nThe above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.\n\nThis vulnerability is mitigated by the fact that in order to be exploitable:\n\n* A site must use an entity reference field type that stores a serialized property.\n* An attacker must have permission to write to the entity via JSON:API.\n\nNo field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules.\n\nJSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access).\n\n#### Drupal Steward protection:\n\nThis issue is being protected by [Drupal Steward](https://www.drupal.org/steward). In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not be able to cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are *not* mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release.",
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments