CVE-2024-13258
Published: 09 January 2025
Summary
CVE-2024-13258 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Rest \& Json Api Authentication Project Rest \& Json Api Authentication. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13258 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal REST & JSON API Authentication contrib module, which allows forceful browsing past authorization checks. The issue affects all versions of the module from 0.0.0 before 2.0.13. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.
Remote, unauthenticated attackers can exploit the vulnerability by sending crafted requests to REST and JSON API endpoints, bypassing authorization controls. This enables them to access, modify, or delete sensitive data and resources without permission, resulting in high impacts on confidentiality, integrity, and availability, potentially leading to complete site compromise.
The Drupal security advisory SA-CONTRIB-2024-022, published on 2025-01-09, documents the vulnerability and recommends updating the Drupal REST & JSON API Authentication module to version 2.0.13 or later as the primary mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51472
Vulnerability details
Incorrect Authorization vulnerability in Drupal Drupal REST & JSON API Authentication allows Forceful Browsing.This issue affects Drupal REST & JSON API Authentication: from 0.0.0 before 2.0.13.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct auth bypass on public Drupal REST/JSON API endpoints enables remote exploitation of a public-facing web application without credentials.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through updating the Drupal REST & JSON API Authentication module to 2.0.13 or later directly fixes the incorrect authorization vulnerability.
Enforces approved authorizations for logical access to REST and JSON API endpoints, preventing forceful browsing past authorization checks.
Applies least privilege to limit the scope of unauthorized access and damage if authorization bypass occurs on sensitive resources.