2242235 – (CVE-2023-5256) CVE-2023-5256 drupal: cache poisoning in JSON:API module

Bug 2242235 (CVE-2023-5256) - CVE-2023-5256 drupal: cache poisoning in JSON:API module

Summary: CVE-2023-5256 drupal: cache poisoning in JSON:API module

Keywords:
Status:	NEW
Alias:	CVE-2023-5256
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2242236 2242237
Blocks:
TreeView+	depends on / blocked

Reported:	2023-10-05 06:04 UTC by TEJ RATHI
Modified:	2023-10-05 14:39 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-10-05 06:04:29 UTC

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

https://www.drupal.org/sa-core-2023-006

Comment 1 TEJ RATHI 2023-10-05 06:04:49 UTC

Created drupal7 tracking bugs for this issue:

Affects: epel-7 [bug 2242237]
Affects: fedora-all [bug 2242236]

Comment 2 Shawn Iwinski 2023-10-05 14:39:32 UTC

Tracking/dependent bugs closed as "not a bug" as this does not pertain to Drupal v7

Note You need to log in before you can comment on or make changes to this bug.