Content Delivery API security advisory

Is it safe to assume this only affects systems where the Content Delivery API is actually enabled?

Hi @creativesuspects ,

Yes that’s correct. The advisory explicitly states that “only the delivery API functionality is affected.” Because the vulnerability relies directly on the delivery API’s output expansion mechanism to expose protected content, a system where the Content Delivery API is disabled will not be exposed to this specific exploit.

If the API is turned off, the endpoints required to retrieve the data simply aren’t active.

Hope it helps!

Regards,
Shekhar

Hi @creativesuspects

I’d be a bit careful assuming it’s only about protected content. If you don’t have the Content Delivery API enabled at all then you’re fine, since the endpoints aren’t active. But the advisory covers two things: protected content expanded into the output, and referenced items restricted by type via configuration. So a site with the API on could still leak type-restricted content even without anything explicitly protected.

I would always recommend you update regardless, but if you aren’t running the Content Delivery API then you probably don’t need to rush to patch every site.

Justin