Skip to content

Cache poisoning in drupal/core

Critical severity GitHub Reviewed Published Sep 28, 2023 to the GitHub Advisory Database • Updated Dec 20, 2023

Package

composer drupal/core (Composer)

Affected versions

>= 8.7.0, < 9.5.11
>= 10.0.0, < 10.0.11
>= 10.1.0, < 10.1.4

Patched versions

9.5.11
10.0.11
10.1.4

Description

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

References

Published by the National Vulnerability Database Sep 28, 2023
Published to the GitHub Advisory Database Sep 28, 2023
Last updated Dec 20, 2023
Reviewed Dec 20, 2023

Severity

Critical

EPSS score

0.089%
(39th percentile)

Weaknesses

CVE ID

CVE-2023-5256

GHSA ID

GHSA-rjqg-3h9m-fx5x

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.