CVE-2023-5256

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.
References
Link Resource
https://www.drupal.org/sa-core-2023-006 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

History

05 Oct 2023, 14:54

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE NVD-CWE-noinfo
First Time Drupal
Drupal drupal
References (MISC) https://www.drupal.org/sa-core-2023-006 - (MISC) https://www.drupal.org/sa-core-2023-006 - Vendor Advisory
CPE cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

28 Sep 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-28 19:15

Updated : 2024-09-23 19:35


NVD link : CVE-2023-5256

Mitre link : CVE-2023-5256

CVE.ORG link : CVE-2023-5256


JSON object : View

Products Affected

drupal

  • drupal
CWE
NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor