[Security-news] Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
security-news at drupal.org
security-news at drupal.org
Wed Sep 20 17:42:59 UTC 2023
View online: https://www.drupal.org/sa-core-2023-006
Project: Drupal core [1]
Date: 2023-September-20
Security risk: *Critical* 16∕25
AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cache poisoning
Affected versions: >=8.7.0 <9.5.11 || >=10.0 <10.0.11 || >= 10.1 <10.1.4
Description:
In certain scenarios, Drupal's JSON:API module will output error backtraces.
With some configurations, this may cause sensitive information to be cached
and made available to anonymous users, leading to privilege escalation.
This vulnerability only affects sites with the JSON:API module enabled, and
can be mitigated by uninstalling JSON:API.
The core REST and contributed GraphQL modules are not affected.
Drupal Steward [3] partners have been made aware of this issue. Some
platforms may provide mitigations. However, not all WAF configurations can
mitigate the issue, so it is still recommended to update promptly to this
security release if your site uses JSON:API.
Solution:
Install the latest version:
* If you are using Drupal 10.1, update to Drupal 10.1.4 [4].
* If you are using Drupal 10.0, update to Drupal 10.0.11 [5].
* If you are using Drupal 9.5, update to Drupal 9.5.11 [6].
All versions of Drupal 9 prior to 9.5 are end-of-life and do not receive
security coverage. Note that Drupal 8 has reached its end of life [7].
Drupal 7 is not affected.
Reported By:
* ghostccamm [8]
Fixed By:
* Drew Webber [9] of the Drupal Security Team
* Peter Wolanin [10] of the Drupal Security Team
* Nathaniel Catchpole [11] of the Drupal Security Team
* Alex Bronstein [12] of the Drupal Security Team
* Lee Rowlands [13] of the Drupal Security Team
* xjm [14] of the Drupal Security Team
* Wim Leers [15]
* Benji Fisher [16] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/10.1.4
[5] https://www.drupal.org/project/drupal/releases/10.0.11
[6] https://www.drupal.org/project/drupal/releases/9.5.11
[7] https://www.drupal.org/psa-2021-06-29
[8] https://www.drupal.org/user/3778490
[9] https://www.drupal.org/user/255969
[10] https://www.drupal.org/user/49851
[11] https://www.drupal.org/user/35733
[12] https://www.drupal.org/user/78040
[13] https://www.drupal.org/user/395439
[14] https://www.drupal.org/user/65776
[15] https://www.drupal.org/user/99777
[16] https://www.drupal.org/user/683300
More information about the Security-news
mailing list