CVE-2023-5256

7.5 HIGH

📋 TL;DR

Drupal's JSON:API module can expose sensitive error backtraces that may be cached and accessible to anonymous users. This information disclosure vulnerability could lead to privilege escalation by revealing system details. Only sites with the JSON:API module enabled are affected.

💻 Affected Systems

Products:

• Drupal

Versions: Drupal core versions with JSON:API module enabled

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects sites with JSON:API module enabled. Core REST and contributed GraphQL modules are not affected.

📦 What is this software?

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

Drupal by Drupal

View all CVEs affecting Drupal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Anonymous users obtain sensitive system information from cached error backtraces, enabling privilege escalation attacks that could lead to full site compromise.

🟠

Likely Case

Anonymous users access cached error information containing system paths, configuration details, or other sensitive data that could aid further attacks.

🟢

If Mitigated

With proper caching controls and error handling, only generic error messages are exposed, limiting information disclosure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires triggering error conditions in JSON:API endpoints and accessing cached error responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Drupal security update for CVE-2023-5256

Vendor Advisory: https://www.drupal.org/sa-core-2023-006

Restart Required: No

Instructions:

1. Update Drupal core to the latest secure version. 2. Apply the security patch for CVE-2023-5256. 3. Clear all caches after patching.

🔧 Temporary Workarounds

Disable JSON:API Module

all

Uninstall the JSON:API module to completely mitigate the vulnerability

Copy

drush pm-uninstall jsonapi

Configure Error Handling

all

Configure Drupal to not display error backtraces to users

Copy

Set $config['system.logging']['error_level'] = 'hide' in settings.php

🧯 If You Can't Patch

• Disable the JSON:API module immediately
• Implement strict caching controls to prevent caching of error responses

🔍 How to Verify

Check if Vulnerable:

Copy

Check if JSON:API module is enabled and review error handling configuration

Check Version:

Copy

drush status | grep 'Drupal version'

Verify Fix Applied:

Copy

Verify Drupal core is updated to patched version and test JSON:API error responses

📡 Detection & Monitoring

Log Indicators:

• Multiple error responses from JSON:API endpoints
• Anonymous users accessing cached error pages

Network Indicators:

• Unusual requests to JSON:API endpoints designed to trigger errors

SIEM Query:

Copy

source="drupal" AND (uri="*jsonapi*" AND status>=500)

📊 Metadata

CVE ID: CVE-2023-5256

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-200

Published: September 28, 2023

Last Updated: November 21, 2024

🔗 References

• https://www.drupal.org/sa-core-2023-006 Vendor Advisory
• https://www.drupal.org/sa-core-2023-006 Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5256, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)

CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)

CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)