Drupal patches critical Vulnerability in Drupal Core
Take action: Plan to patch your Drupal release, and in the meantime if possible disable the JSON:API module in Drupal.
Drupal reports a cache poisoning vulnerability in Drupal Core, that's classified as critical per Drupal's internal classification:
Security Risk: Critical 16∕25 AC:Complex/A:None/CI:All/II:Some/E:Theoretical/TD:Default
Drupal's JSON:API module can, in specific scenarios, generate error backtraces. Under certain configurations, this might lead to caching sensitive data and making it accessible to anonymous users, potentially resulting in privilege escalation.
This vulnerability exclusively impacts websites with the JSON:API module activated and can be mitigated by deactivating JSON:API.
The core REST and contributed GraphQL modules remain unaffected.
The Drupal Steward partners have been informed of this concern. While some platforms might offer mitigations, it's important to note that not all Web Application Firewall (WAF) configurations can effectively mitigate this issue. Therefore, it is strongly advised to promptly update to this security release if your website utilizes JSON:API.
To remedy the vulnerability, install the latest version
Please note that all Drupal 9 versions preceding 9.5 are no longer supported for security updates. Additionally, Drupal 8 has reached its end of life. Drupal 7 remains unaffected.
|Simple Membership WordPress Plugin vulnerable to account creation, …|
|Jupiter X Core WordPress plugin site hijacking vulnerability|
|All-in-One WP Migration vulnerable to unauthenticated access|
|Flaw in WordPress Ninja Forms lets attackers steal …|
|MW WP Form plugin for WordPress has critical …|