In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.
This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.
The core REST and contributed GraphQL modules are not affected.
References
Link | Resource |
---|---|
https://www.drupal.org/sa-core-2023-006 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
05 Oct 2023, 14:54
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | NVD-CWE-noinfo | |
First Time |
Drupal
Drupal drupal |
|
References | (MISC) https://www.drupal.org/sa-core-2023-006 - Vendor Advisory | |
CPE | cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* |
28 Sep 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-09-28 19:15
Updated : 2024-09-23 19:35
NVD link : CVE-2023-5256
Mitre link : CVE-2023-5256
CVE.ORG link : CVE-2023-5256
JSON object : View
Products Affected
drupal
- drupal
CWE