Listen to this Post
The vulnerability stems from Drupal’s core incorrectly applying HTTP cache-control headers for specific responses containing sensitive user data. Under certain configurations, pages or API responses that should be marked as non-cacheable, or private, are instead given public caching directives. This misconfiguration allows a shared cache, such as a proxy or a browser cache, to store this sensitive information. A subsequent user accessing the same shared cache could then retrieve the previous user’s sensitive data, which might include session identifiers or personal details, leading to a potential breach of confidentiality without directly exploiting the Drupal application itself.
Platform: Drupal Core
Version: < 10.4.9
Vulnerability : Improper Cache Control
Severity: Low
date: 2024-11-18
Prediction: 2024-11-25
What Undercode Say:
curl -I https://target-site.com/sensitive-page grep -r "Cache-Control" /path/to/drupal/core/
// Example of a vulnerable header setting
$response->headers->set('Cache-Control', 'public');
How Exploit:
1. Attacker identifies a cacheable sensitive endpoint.
- Victim user accesses the endpoint, caching their data.
3. Attacker retrieves victim’s data from the cache.
Protection from this CVE
Update to Drupal core versions 10.4.9, 10.5.6, 11.1.9, or 11.2.8.
Impact:
Sensitive Information Disclosure
Session Hijacking
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
