CVE-2023-5256
Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
7.5
HIGH
CVSS 3.1
EPSS 1.3%
Description
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.
How to fix CVE-2023-5256
To remediate CVE-2023-5256, upgrade the affected package to a fixed version below.
- —upgrade to 9.5.11 or later
- —upgrade to 9.5.11 or later
- —upgrade to 9.5.11 or later
Is CVE-2023-5256 being exploited?
Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 8.7.0, < 9.5.11, >= 10.0.0, < 10.0.11, >= 10.1.0, < 10.1.4
- >= 8.7.0, < 9.5.11 | >= 10.0.0, < 10.0.11 | >= 10.1.0, < 10.1.4
- >= 8.7.0, < 9.5.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |