Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-5256
Summary
In certain scenarios, Drupal's "JSON:API" module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the "JSON:API" module enabled, and can be mitigated by uninstalling "JSON:API". The core REST and contributed GraphQL modules are not affected. This vulnerability affects drupal in versions 8.7.0-beta1 through 9.5.10, 10.0.0 through 10.0.10, and 10.1.0 through 10.1.3.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-200 - Information Exposure
An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.
References
Advisory Timeline
- Published