Drupal Core Web Browser Cache Vulnerability Allowing Information Disclosure

A vulnerability in Drupal Core's handling of private and temporary files can lead to unauthorized access to sensitive information. This issue affects Drupal versions 8.0.0 prior to 10.4.9, 10.5.0 prior to 10.5.6, 11.0.0 prior to 11.1.9, and 11.2.0 prior to 11.2.8. The vulnerability arises when files are served with a 'Cache-Control: public' header, allowing cached versions of files to be accessed by users who should not have permission. This can occur if Drupal is configured to manage non-public files with a custom or contributed module that adds a new file scheme. Exploitation requires knowledge of a file that has been accessed by a more-privileged user and is still cached, potentially involving Varnish or a CDN.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of sensitive information, allowing users to access cached files they should not be able to.

Remediation

Users can upgrade to Drupal 10.4.9, 10.5.6, 11.1.9, or 11.2.8. Instructions for downloading these versions are available on the Drupal project page. Drupal 11.0.x, 10.3.x, and earlier versions are no longer supported and do not receive security updates.