CVE-2024-13255
Published: 09 January 2025
Summary
CVE-2024-13255 is a high-severity Exposure of Sensitive Information Through Data Queries (CWE-202) vulnerability in Restful Web Services Project Restful Web Services. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13255 is an Exposure of Sensitive Information Through Data Queries vulnerability in the Drupal RESTful Web Services module, enabling forceful browsing. This issue affects RESTful Web Services versions from 7.X-2.0 before 7.X-2.10. The vulnerability is classified under CWE-202 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effect on integrity or availability.
Remote attackers require only network access and can exploit the vulnerability without privileges or user interaction due to its low attack complexity. Successful exploitation allows disclosure of sensitive information through crafted data queries targeting the RESTful endpoints.
The Drupal security advisory at https://www.drupal.org/sa-contrib-2024-019 details mitigation steps, with the issue resolved in RESTful Web Services version 7.X-2.10. Site administrators should update to this or later versions to address the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51469
Vulnerability details
Exposure of Sensitive Information Through Data Queries vulnerability in Drupal RESTful Web Services allows Forceful Browsing.This issue affects RESTful Web Services: from 7.X-2.0 before 7.X-2.10.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public REST endpoints for sensitive data disclosure via crafted queries/forceful browsing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the specific flaw in the Drupal RESTful Web Services module via patching to version 7.X-2.10 or later.
Enforces approved authorizations on RESTful endpoints to prevent unauthorized forceful browsing and exposure of sensitive information without privileges.
Validates crafted data queries to RESTful Web Services, blocking malicious inputs that could disclose sensitive information.