VYPR
Critical severityNVD Advisory· Published Sep 28, 2023· Updated Sep 23, 2024

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

CVE-2023-5256

Description

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
drupal/corePackagist
>= 8.7.0, < 9.5.119.5.11
drupal/corePackagist
>= 10.0.0, < 10.0.1110.0.11
drupal/corePackagist
>= 10.1.0, < 10.1.410.1.4

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

1