CVE-2023-5256: Drupal Core JSON:API Sensitive Data Exposure
Platform
drupal
Component
drupal
Fixed in
9.5.11
CVE-2023-5256 describes a sensitive data exposure vulnerability within the JSON:API module of Drupal Core. Under specific configurations, error backtraces containing sensitive information can be cached and exposed to anonymous users, potentially leading to privilege escalation. This issue affects Drupal Core versions up to and including 9.5.9. The vulnerability is resolved in Drupal version 9.5.11.
How to fix
Desinstale el módulo JSON:API para mitigar la vulnerabilidad. Alternativamente, actualice Drupal Core a la última versión disponible que contenga la corrección para este problema. Consulte el anuncio de seguridad de Drupal para obtener más detalles y parches.
Frequently asked questions
What is CVE-2023-5256?
CVE-2023-5256 is a vulnerability in Drupal's JSON:API module that can expose sensitive information to anonymous users due to error backtraces being cached. This can lead to privilege escalation.
Am I affected by CVE-2023-5256?
You are affected if you are running Drupal Core with the JSON:API module enabled and are using a version less than or equal to 9.5.9. Sites using REST or GraphQL modules are not affected.
How do I fix CVE-2023-5256?
Upgrade your Drupal Core installation to version 9.5.11 or later. Alternatively, you can mitigate the vulnerability by uninstalling the JSON:API module.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free