CVE-2020-13667
First published: Wed Sep 16 2020(Updated: )
Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue affects Drupal Core8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.
Credit: mlhess@drupal.org mlhess@drupal.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/drupal/drupal | >=8.0.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.4.0>=8.4.0<8.5.0>=8.5.0<8.6.0>=8.6.0<8.7.0>=8.7.0<8.8.0>=8.8.0<8.8.10>=8.9.0<8.9.6>=9.0.0<9.0.6 | |
| composer/drupal/core | >=8.0.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.4.0>=8.4.0<8.5.0>=8.5.0<8.6.0>=8.6.0<8.7.0>=8.7.0<8.8.0>=8.8.0<8.8.10>=8.9.0<8.9.6>=9.0.0<9.0.6 | |
| Drupal Drupal | >=8.8.0<8.8.10 | |
| Drupal Drupal | >=8.9.0<8.9.6 | |
| Drupal Drupal | >=9.0.0<9.0.6 | |
| composer/drupal/drupal | >=9.0.0<9.0.6 | 9.0.6 |
| composer/drupal/drupal | >=8.9.0<8.9.6 | 8.9.6 |
| composer/drupal/drupal | >=8.8.0<8.8.10 | 8.8.10 |
| composer/drupal/core | >=9.0.0<9.0.6 | 9.0.6 |
| composer/drupal/core | >=8.9.0<8.9.6 | 8.9.6 |
| composer/drupal/core | >=8.8.0<8.8.10 | 8.8.10 |
| >=8.8.0<8.8.10 | ||
| >=8.9.0<8.9.6 | ||
| >=9.0.0<9.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.drupal.org/sa-core-2020-008
- https://nvd.nist.gov/vuln/detail/CVE-2020-13667
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13667.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13667.yaml
- https://github.com/advisories/GHSA-x2q9-r8gm-f657 (Advisory)
Frequently Asked Questions
What is CVE-2020-13667?
CVE-2020-13667 is an access bypass vulnerability in Drupal Core Workspaces that allows an attacker to access data without correct permissions.
What is the severity of CVE-2020-13667?
The severity of CVE-2020-13667 is moderately critical with a CVSS score of 5.3.
How does CVE-2020-13667 affect Drupal?
CVE-2020-13667 affects Drupal versions 8.0.0 to 8.9.6 and 9.0.0 to 9.0.6.
How can an attacker exploit CVE-2020-13667?
An attacker can exploit CVE-2020-13667 by leveraging the access bypass vulnerability in the Workspaces module to view content without proper permissions.
Where can I find more information about CVE-2020-13667?
More information about CVE-2020-13667 can be found at the following link: [SA-CORE-2020-008](https://www.drupal.org/sa-core-2020-008)
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x2q9-r8gm-f657
- alias/CVE-2020-13667
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- package-manager/composer
- vendor/drupal
- canonical/drupal drupal
- version/drupal drupal/8.8.0
- version/drupal drupal/8.9.0
- version/drupal drupal/9.0.0