Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/drupal/core@10.0.0
Typecomposer
Namespacedrupal
Namecore
Version10.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.0.8
Latest_non_vulnerable_version11.2.8
Affected_by_vulnerabilities
0
url VCID-54qh-fz2a-cyh6
vulnerability_id VCID-54qh-fz2a-cyh6
summary 
Generation of Error Message Containing Sensitive Information
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.
references
0
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
1
reference_url https://github.com/drupal/core/commit/1cd2741c2b43f6ad1bdfc121b8d9ec3b87e70742
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/1cd2741c2b43f6ad1bdfc121b8d9ec3b87e70742
2
reference_url https://github.com/drupal/core/commit/5495dc530e3acd056478245bfe1828210c6da7dc
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/5495dc530e3acd056478245bfe1828210c6da7dc
3
reference_url https://github.com/drupal/core/commit/d4fe67562ee3ea0d9ecb9672d2945d94c5633d24
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core/commit/d4fe67562ee3ea0d9ecb9672d2945d94c5633d24
4
reference_url https://www.drupal.org/sa-core-2023-006
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.drupal.org/sa-core-2023-006
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-5256
reference_id CVE-2023-5256
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-5256
6
reference_url https://github.com/advisories/GHSA-rjqg-3h9m-fx5x
reference_id GHSA-rjqg-3h9m-fx5x
reference_type
scores
url https://github.com/advisories/GHSA-rjqg-3h9m-fx5x
fixed_packages
0
url pkg:composer/drupal/core@10.0.11
purl pkg:composer/drupal/core@10.0.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.11
1
url pkg:composer/drupal/core@10.1.4
purl pkg:composer/drupal/core@10.1.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.1.4
aliases CVE-2023-5256, GHSA-rjqg-3h9m-fx5x
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-54qh-fz2a-cyh6
1
url VCID-bge7-rqsx-gfee
vulnerability_id VCID-bge7-rqsx-gfee
summary 
Access bypass in Drupal core
The file download facility does not sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
references
0
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
1
reference_url https://www.drupal.org/sa-core-2023-005
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.drupal.org/sa-core-2023-005
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-31250
reference_id CVE-2023-31250
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-31250
3
reference_url https://github.com/advisories/GHSA-8849-cv9f-vccm
reference_id GHSA-8849-cv9f-vccm
reference_type
scores
url https://github.com/advisories/GHSA-8849-cv9f-vccm
fixed_packages
0
url pkg:composer/drupal/core@10.0.8
purl pkg:composer/drupal/core@10.0.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.8
aliases CVE-2023-31250, GHSA-8849-cv9f-vccm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bge7-rqsx-gfee
2
url VCID-jyz4-ymrp-pka7
vulnerability_id VCID-jyz4-ymrp-pka7
summary 
Drupal core vulnerable to improper error handling
Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site.

The issue is mitigated by the fact that several non-default site configurations must exist simultaneously for this to occur.
references
0
reference_url https://github.com/drupal/core
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/drupal/core
1
reference_url https://www.drupal.org/sa-core-2024-002
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.drupal.org/sa-core-2024-002
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-11942
reference_id CVE-2024-11942
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-11942
3
reference_url https://github.com/advisories/GHSA-52jr-x6h6-xj6g
reference_id GHSA-52jr-x6h6-xj6g
reference_type
scores
url https://github.com/advisories/GHSA-52jr-x6h6-xj6g
fixed_packages
0
url pkg:composer/drupal/core@10.2.10
purl pkg:composer/drupal/core@10.2.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.2.10
aliases CVE-2024-11942, GHSA-52jr-x6h6-xj6g
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jyz4-ymrp-pka7
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/drupal/core@10.0.0