CVE-2023-5256 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-5256

CVE-2023-5256

September 28, 2023

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.

Related Resources (6)

https://github.com/drupal/core/commit/5495dc530e3acd056478245bfe1828210c6da7dc

https://github.com/drupal/core/commit/1cd2741c2b43f6ad1bdfc121b8d9ec3b87e70742

https://nvd.nist.gov/vuln/detail/CVE-2023-5256

https://github.com/drupal/core/commit/d4fe67562ee3ea0d9ecb9672d2945d94c5633d24

https://www.drupal.org/sa-core-2023-006

https://github.com/drupal/core

Do you need more information?

CVSS v4

Base Score:

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

EPSS

Base Score:

1.29

Products

Solutions

Resources

Company

Compare

Developer Tools