First published: Thu Sep 28 2023(Updated: )
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.
Credit: mlhess@drupal.org mlhess@drupal.org mlhess@drupal.org
Affected Software | Affected Version | How to fix |
---|---|---|
Drupal Drupal | >=8.7.0<9.5.11 | |
Drupal Drupal | >=10.0.0<10.0.11 | |
Drupal Drupal | >=10.1.0<10.1.4 | |
composer/drupal/core | >=10.1.0<10.1.4 | 10.1.4 |
composer/drupal/core | >=10.0.0<10.0.11 | 10.0.11 |
composer/drupal/core | >=8.7.0<9.5.11 | 9.5.11 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this Drupal vulnerability is CVE-2023-5256.
The severity of CVE-2023-5256 is high.
The JSON:API module of Drupal is affected by CVE-2023-5256.
Drupal versions 8.7.0 to 9.5.11 and Drupal versions 10.0.0 to 10.0.11 are affected by CVE-2023-5256.
CVE-2023-5256 may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.