it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal core - Critical - Cache poisoning - SA-CORE-2023-006
- Date: Wed, 20 Sep 2023 17:42:59 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 4D58B80E38
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C758583C94
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 426A241FB5
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3482A41FAA
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-core-2023-006
Project: Drupal core [1]
Date: 2023-September-20
Security risk: *Critical* 16∕25
AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cache poisoning
Affected versions: >=8.7.0 <9.5.11 || >=10.0 <10.0.11 || >= 10.1 <10.1.4
Description:
In certain scenarios, Drupal's JSON:API module will output error backtraces.
With some configurations, this may cause sensitive information to be cached
and made available to anonymous users, leading to privilege escalation.
This vulnerability only affects sites with the JSON:API module enabled, and
can be mitigated by uninstalling JSON:API.
The core REST and contributed GraphQL modules are not affected.
Drupal Steward [3] partners have been made aware of this issue. Some
platforms may provide mitigations. However, not all WAF configurations can
mitigate the issue, so it is still recommended to update promptly to this
security release if your site uses JSON:API.
Solution:
Install the latest version:
* If you are using Drupal 10.1, update to Drupal 10.1.4 [4].
* If you are using Drupal 10.0, update to Drupal 10.0.11 [5].
* If you are using Drupal 9.5, update to Drupal 9.5.11 [6].
All versions of Drupal 9 prior to 9.5 are end-of-life and do not receive
security coverage. Note that Drupal 8 has reached its end of life [7].
Drupal 7 is not affected.
Reported By:
* ghostccamm [8]
Fixed By:
* Drew Webber [9] of the Drupal Security Team
* Peter Wolanin [10] of the Drupal Security Team
* Nathaniel Catchpole [11] of the Drupal Security Team
* Alex Bronstein [12] of the Drupal Security Team
* Lee Rowlands [13] of the Drupal Security Team
* xjm [14] of the Drupal Security Team
* Wim Leers [15]
* Benji Fisher [16] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/steward
[4] https://www.drupal.org/project/drupal/releases/10.1.4
[5] https://www.drupal.org/project/drupal/releases/10.0.11
[6] https://www.drupal.org/project/drupal/releases/9.5.11
[7] https://www.drupal.org/psa-2021-06-29
[8] https://www.drupal.org/user/3778490
[9] https://www.drupal.org/user/255969
[10] https://www.drupal.org/user/49851
[11] https://www.drupal.org/user/35733
[12] https://www.drupal.org/user/78040
[13] https://www.drupal.org/user/395439
[14] https://www.drupal.org/user/65776
[15] https://www.drupal.org/user/99777
[16] https://www.drupal.org/user/683300
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal core - Critical - Cache poisoning - SA-CORE-2023-006, security-news, 20.09.2023
Archiv bereitgestellt durch MHonArc 2.6.24.