CVE-2023-5256 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=8.7.0 <9.5.11 || >=10.0.0 <10.0.11 || >=10.1.0 <10.1.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00821 pctl0.7354

Details

Cache poisoning in drupal/core In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.

Metadata

Created: 2023-09-28T21:30:58Z
Modified: 2023-12-20T21:01:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-rjqg-3h9m-fx5x/GHSA-rjqg-3h9m-fx5x.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-rjqg-3h9m-fx5x
Finding: F308
Auto approve: 1