JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010

JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010

Project: JSON:API
Version: 8.x-1.26
Date: 2020-April-15
Security risk: Critical 15∕25 
Vulnerability: Unsupported

Description

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are strongly encouraged to upgrade to a supported version of Drupal core, which includes a supported version of JSON:API.

The eventual removal of security coverage for the JSON:API contributed module was announced with the release of JSON:API 8.x-1.22 on 28 June 2018.

Additionally, there is a known security issue with the 8.x-1.x branch of the project that will not be fixed by the maintainers. That issue is not present in the 8.x-2.x branch of the project, nor is it present in Drupal core.

Solution

Users of the module are encouraged to upgrade to a supported version of Drupal core, which is distributed with a supported version of JSON:API.

If your site is currently using a release from the 8.x-1.x branch of the module, you may be required to apply fixes for the breaking changes documented here.

Also see the JSON:API project page.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.