Critical Cache Poisoning Vulnerability in Drupal Core: SA-CORE-2023-006
A critical security vulnerability has been discovered in Drupal Core, prompting the release of a security update, SA-CORE-2023-006. The vulnerability, labeled as "Cache poisoning," poses a significant risk to affected Drupal installations, with a severity rating of 16 out of 25. This security issue impacts Drupal versions greater than or equal to 8.7.0 and less than 9.5.11, as well as versions greater than or equal to 10.0 and less than 10.0.11, and versions greater than or equal to 10.1 and less than 10.1.4.
The vulnerability arises from certain scenarios within Drupal's JSON:API module, which can result in error backtraces being exposed. In configurations susceptible to this issue, sensitive information may be inadvertently cached and made accessible to anonymous users, potentially leading to privilege escalation.
It's important to note that this security vulnerability exclusively affects websites with the JSON:API module enabled. As a mitigation measure, site administrators have the option to uninstall the JSON:API module. However, it is strongly recommended that affected sites apply the necessary security updates promptly.
The Drupal Security Team acted swiftly to address this issue. Site administrators are urged to update to the latest versions of Drupal, with specific guidance provided for Drupal 10.1, 10.0, and 9.5, as outlined in the security advisory. Notably, Drupal 8 has reached its end of life and is not eligible for security coverage. Drupal 7 remains unaffected by this vulnerability.