CVE-2023-5256

CWE-200 — Information Exposure7 documents5 sources

Severity

7.5HIGH

EPSS

1.3%

top 20.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Drupal Drupal Core

Timeline

PublishedSep 28

Description

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

▶Packagistdrupal/core8.7.0 — 9.5.11+2

▶CVEListV5drupal/core10.1 — 10.1.4+2

▶NVDdrupal/drupal8.7.0 — 9.5.11+2

🔴Vulnerability Details

OSV

CVE-2023-5256: In certain scenarios, Drupal's JSON:API module will output error backtraces↗2023-09-28

▶

GHSA

Cache poisoning in drupal/core↗2023-09-28

▶

CVEList

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006↗2023-09-28

▶

OSV

Cache poisoning in drupal/core↗2023-09-28

▶

OSV

CVE-2023-5256: In certain scenarios, Drupal's JSON:API module will output error backtraces↗2023-09-20

▶

📋Vendor Advisories

Drupal

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006↗2023-09-20

▶