CVE-2023-5256

EPSS 0.99%
Published 28.09.2023 19:15:10
Last modified 21.11.2024 08:41:23
Source mlhess@drupal.org
Teams watchlist Login
Open Login

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Drupal ≫ Drupal Version >= 8.7.0 < 9.5.11

Drupal ≫ Drupal Version >= 10.0.0 < 10.0.11

Drupal ≫ Drupal Version >= 10.1.0 < 10.1.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.99%	0.761

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://www.drupal.org/sa-core-2023-006

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-5256

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-5256

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-5256

EUVD