In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations,     this may cause sensitive information to be cached and made available to anonymous users, leading to     privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be     mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.
    (CVE-2023-5256)

Note that Nessus relies on the presence of the package as reported by the vendor.

According to its self-reported version, the instance of Drupal running on the remote web server is 8.7.x prior to 9.5.11, 10.0.x prior to 10.0.11 or 10.1.x prior to 10.1.4. In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.5.x prior to 9.5.11, 10.x prior to 10.0.11, or 10.1.x prior to 10.1.4. It is, therefore, affected by a vulnerability.

  - In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations,     this may cause sensitive information to be cached and made available to anonymous users, leading to     privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be     mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected. Drupal     Steward partners have been made aware of this issue. Some platforms may provide mitigations. However, not     all WAF configurations can mitigate the issue, so it is still recommended to update promptly to this     security release if your site uses JSON:API. (SA-CORE-2023-006)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
246115	Linux Distros Unpatched Vulnerability : CVE-2023-5256	Nessus	Misc.	high
114049	Drupal 8.7.x < 9.5.11 Cache Poisoning	Web App Scanning	Component Vulnerability	high
114048	Drupal 10.0.x < 10.0.11 Cache Poisoning	Web App Scanning	Component Vulnerability	high
114047	Drupal 10.1.x < 10.1.4 Cache Poisoning	Web App Scanning	Component Vulnerability	high
181691	Drupal 9.5.x < 9.5.11 / 10.x < 10.0.11 / 10.1.x < 10.1.4 Drupal Vulnerability (SA-CORE-2023-006)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2023-5256

high

Tenable Plugins

high

high

high

high

high