{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5256", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2023-09-28T18:13:12.881Z", "datePublished": "2023-09-28T18:17:43.128Z", "dateUpdated": "2024-09-23T18:25:29.327Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Core", "vendor": "Drupal", "versions": [{"lessThanOrEqual": "10.1.4", "status": "affected", "version": "10.1", "versionType": "semver"}, {"lessThanOrEqual": "10.0.11", "status": "affected", "version": "10.0", "versionType": "semver"}, {"lessThanOrEqual": "9.5.11", "status": "affected", "version": "9.5", "versionType": "semver"}]}], "datePublic": "2023-09-21T18:17:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.</p><p>This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.</p><p>The core REST and contributed GraphQL modules are not affected.</p><br><br>"}], "value": "In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.\n\nThis vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.\n\nThe core REST and contributed GraphQL modules are not affected.\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-141", "descriptions": [{"lang": "en", "value": "CAPEC-141 Cache Poisoning"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2023-09-28T18:17:43.128Z"}, "references": [{"url": "https://www.drupal.org/sa-core-2023-006"}], "source": {"discovery": "UNKNOWN"}, "title": "Drupal core - Critical - Cache poisoning - SA-CORE-2023-006", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:52:08.530Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.drupal.org/sa-core-2023-006", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "drupal", "product": "drupal", "cpes": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "10.1", "status": "affected", "lessThan": "10.1.4", "versionType": "semver"}, {"version": "10.0", "status": "affected", "lessThan": "10.0.11", "versionType": "semver"}, {"version": "9.5", "status": "affected", "lessThan": "9.5.11", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T18:22:43.682965Z", "id": "CVE-2023-5256", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T18:25:29.327Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.drupal.org/sa-core-2023-006", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:52:08.530Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-5256", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-23T18:22:43.682965Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "vendor": "drupal", "product": "drupal", "versions": [{"status": "affected", "version": "10.1", "lessThan": "10.1.4", "versionType": "semver"}, {"status": "affected", "version": "10.0", "lessThan": "10.0.11", "versionType": "semver"}, {"status": "affected", "version": "9.5", "lessThan": "9.5.11", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T18:25:19.880Z"}}], "cna": {"title": "Drupal core - Critical - Cache poisoning - SA-CORE-2023-006", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-141", "descriptions": [{"lang": "en", "value": "CAPEC-141 Cache Poisoning"}]}], "affected": [{"vendor": "Drupal", "product": "Core", "versions": [{"status": "affected", "version": "10.1", "versionType": "semver", "lessThanOrEqual": "10.1.4"}, {"status": "affected", "version": "10.0", "versionType": "semver", "lessThanOrEqual": "10.0.11"}, {"status": "affected", "version": "9.5", "versionType": "semver", "lessThanOrEqual": "9.5.11"}], "defaultStatus": "unaffected"}], "datePublic": "2023-09-21T18:17:00.000Z", "references": [{"url": "https://www.drupal.org/sa-core-2023-006"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.\n\nThis vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.\n\nThe core REST and contributed GraphQL modules are not affected.\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.</p><p>This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.</p><p>The core REST and contributed GraphQL modules are not affected.</p><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2023-09-28T18:17:43.128Z"}}}, "cveMetadata": {"cveId": "CVE-2023-5256", "state": "PUBLISHED", "dateUpdated": "2024-09-23T18:25:29.327Z", "dateReserved": "2023-09-28T18:13:12.881Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2023-09-28T18:17:43.128Z", "assignerShortName": "drupal"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD7E7B61-D321-47CE-ACB3-08DC6084EBA4", "versionEndExcluding": "9.5.11", "versionStartIncluding": "8.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "9796BCDF-6CC1-4447-AFE9-BB76BDDE9C68", "versionEndExcluding": "10.0.11", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "E98DD977-94BF-4701-A222-BF0E0443197F", "versionEndExcluding": "10.1.4", "versionStartIncluding": "10.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.\n\nThis vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.\n\nThe core REST and contributed GraphQL modules are not affected.\n\n\n\n"}, {"lang": "es", "value": "En ciertos escenarios, el m\u00f3dulo JSON:API de Drupal generar\u00e1 seguimientos de errores. Con algunas configuraciones, esto puede hacer que la informaci\u00f3n confidencial se almacene en cach\u00e9 y se ponga a disposici\u00f3n de usuarios an\u00f3nimos, lo que lleva a una escalada de privilegios. Esta vulnerabilidad solo afecta a los sitios con el m\u00f3dulo JSON:API habilitado y se puede mitigar desinstalando JSON:API. Los m\u00f3dulos REST principales y GraphQL contribuidos no se ven afectados."}], "id": "CVE-2023-5256", "lastModified": "2024-11-21T08:41:23.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-09-28T19:15:10.977", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2023-006"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2023-006"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "mlhess@drupal.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}