Drupal Security Advisory: Update Required for JSON:API Module
Drupal has released a security advisory addressing a critical vulnerability in its products. The security alert, designated as A23-09-18, focuses on a vulnerability found within Drupal's JSON: API module. This module, in certain scenarios, can output error backtraces that may expose sensitive information and lead to privilege escalation when cached, rendering it accessible to anonymous users.
The vulnerability, which exclusively affects websites with the JSON: API module enabled, can be mitigated by uninstalling JSON: API. However, for sites where this module is essential, updating to the latest security release is recommended.
It is important to note that the core REST and contributed GraphQL modules remain unaffected by this issue.
Drupal's security team has informed Drupal Steward partners about this vulnerability. While certain platforms may offer mitigation strategies, not all Web Application Firewall (WAF) configurations can effectively address the problem. Therefore, it is strongly advised to promptly update your Drupal installation if your site utilizes the JSON: API module.
The recommended updates are as follows:
- If you are using Drupal 10.1, update to Drupal 10.1.4.
- If you are using Drupal 10.0, update to Drupal 10.0.11.
- If you are using Drupal 9.5, update to Drupal 9.5.11.
It's crucial to note that all versions of Drupal 9 before 9.5 are now end-of-life and no longer receive security coverage. Additionally, Drupal 8 has reached its end of life, leaving Drupal 7 unaffected by this vulnerability.
Drupal users are strongly urged to take immediate action to secure their websites by applying the recommended updates or, if possible, uninstalling the JSON: API module. Staying vigilant and maintaining up-to-date security practices is crucial in safeguarding your Drupal-based website from potential threats.
For detailed information on this security update, users are encouraged to visit Drupal's official security advisory at the following link: Drupal core - Critical - Cache poisoning - SA-CORE-2023-006 | Drupal.org
Source of Information: GovCERT.HK - Security Alert (A23-09-18): Vulnerability in Drupal
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.
Comments
You may also like
Featured
Latest News
Upcoming Events
Latest Opportunities
Call for Support
