CVE-2023-5256

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-5256

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-5256.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-5256

Aliases

Related

UBUNTU-CVE-2023-5256

Published

2023-09-28T19:15:10Z

Modified

2024-10-11T08:28:52Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

References

https://www.drupal.org/sa-core-2023-006

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

17ba30046ed57677de4feff8d07354890b40efdb

Fixed

4576b6a4f1ac7e94a7547f226892a01999026cf2