CVE-2023-5256

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
drupalCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
VendorProductVersion
drupaldrupal
10.1.4 <
𝑥
< 10.1.4
drupaldrupal
10.0.11 <
𝑥
< 10.0.11
drupaldrupal
8.7.0 ≤
𝑥
< 9.5.11
drupaldrupal
10.0.0 ≤
𝑥
< 10.0.11
drupaldrupal
10.1.0 ≤
𝑥
< 10.1.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.drupal.org/sa-core-2023-006
https://www.drupal.org/sa-core-2023-006