Description
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.
References (1)
Core 1
Core References
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/sa-core-2021-008
Scores
CVSS v3
9.8
EPSS
0.0080
EPSS Percentile
74.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
CWE-434
Status
published
Products (2)
drupal/core
8.0.0 - 8.9.19Packagist
drupal/drupal
8.0.0 - 8.9.19
Published
Feb 11, 2022
Tracked Since
Feb 18, 2026