Lucene search

K
archlinuxArch LinuxASA-201411-25
HistoryNov 20, 2014 - 12:00 a.m.

drupal: session hijacking and denial of service

2014-11-2000:00:00
Arch Linux
lists.archlinux.org
21

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.04 Low

EPSS

Percentile

91.0%

Custom configured session.inc and password.inc need to be audited as
well to verify if they are prone to the following vulnerabilities.
More information can be found in the upstream advisory [0].

  • CVE-2014-9015 (session hijacking)
    Aaron Averill discovered that a specially crafted request can give a
    user access to another user’s session, allowing an attacker to hijack a
    random session.

  • CVE-2014-9016 (denial of service)
    Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that
    the password hashing API allows an attacker to send specially crafted
    requests resulting in CPU and memory exhaustion. This may lead to the
    site becoming unavailable or unresponsive.

OSVersionArchitecturePackageVersionFilename
anyanyanydrupal< 7.34-1UNKNOWN

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.04 Low

EPSS

Percentile

91.0%

Related for ASA-201411-25