CVE-2023-5256: Drupal JSON:API Module Error Backtrace Leakage Vulnerability
In this long read post, we will delve deep into a recent vulnerability found in Drupal's JSON:API module. This vulnerability, dubbed CVE-2023-5256, has been discovered to inadvertently leak sensitive information in specific scenarios, potentially allowing anonymous users to escalate their privileges. In particular, we will analyze its cause, exploitable scenarios, affected Drupal configurations, the necessary code snippets, and finally, suggested mitigation efforts or strategies.
For original references, please visit the official Drupal security advisory page here.
Exploit Details
CVE-2023-5256 stems from the way Drupal's JSON:API module handles error backtraces. Under certain circumstances, this module may output error backtraces (or debug information), which in turn can be cached by Drupal and subsequently made accessible to anonymous users. Consequently, an attacker can exploit this vulnerability to escalate their privileges on a compromised Drupal site.
Please note that this vulnerability affects _only_ those Drupal sites that have the JSON:API module enabled. Moreover, the core REST module and any contributed GraphQL modules are _not_ affected by this vulnerability.
Here's a code snippet that demonstrates how error backtraces can be leaked
public function handleError(\Throwable $exception) {
$this->logger->error($exception->getMessage(), ['exception' => $exception]);
$error = [
'title' => $this->t('Internal Server Error'),
'detail' => $exception->getMessage(),
];
if ($this->configFactory->get('system.logging')->get('error_level') === 'verbose') {
$error['meta']['exception'] = $exception->getTraceAsString();
}
return $this->prepareErrorResponse($error);
}
In the code above, if the Drupal site has its error_level set to 'verbose', the backtrace of the exception is leaked through the meta key.
Error level set to 'verbose' (which can be set in 'system.logging' configuration)
To check if your Drupal site has the JSON:API module enabled, you can use the following Drush command:
drush pm:list --type=module --status=enabled
Option 1: Uninstall JSON:API Module
If your Drupal site doesn't critically depend on the JSON:API module, it would be best to uninstall the module. This can be done through the following two ways:
a. Via Drush
drush pm:uninstall jsonapi
b. Via Drupal Admin UI
Go to the "Extend" page in the administration interface, locate the JSON:API module, uncheck its checkbox, and save the configuration.
Option 2: Change error_level settings
If your site depends on the JSON:API module, you can change the error_level setting to 'hide' debug information as a temporary workaround. Add the following to your site's settings.php file:
$config['system.logging']['error_level'] = 'hide';
However, please note that changing the error_level setting is not a complete fix for the vulnerability, and should be considered temporary until you secure the module against this vulnerability.
Conclusion
In this post, we have discussed the recent CVE-2023-5256 vulnerability found in Drupal's JSON:API module. While this vulnerability only affects sites with the JSON:API module enabled, it's crucial to take the necessary mitigation steps, such as uninstalling the module or changing the error_level settings. We encourage Drupal site owners to remain vigilant and keep up-to-date with the latest security updates and recommendations provided by the Drupal community.
Timeline
Published on: 09/28/2023 19:15:10 UTC
Last modified on: 10/05/2023 14:54:22 UTC