Drupal Security TeamDRUPAL-SA-CONTRIB-2014-113SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service
6.4 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.04 Low
EPSS
Percentile
91.9%
This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).
This vulnerability can be exploited by anonymous users
See also: <https://www.drupal.org/SA-CORE-2014-006>
CVE identifier(s) issued
- CVE-2014-9016
Versions affected
- Secure Password Hashes 6.x-2.x versions prior to 6.x-2.1.
Drupal core is not affected. If you do not use the contributed Secure Password Hashes module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Secure Password Hashes module for Drupal 6.x, upgrade to Secure Password Hashes 6.x-2.1
Also see the Secure Password Hashes project page.
Reported by
Fixed by
- Peter Wolanin the module maintainer and Drupal Security Team member
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2378375
www.drupal.org/project/phpass
www.drupal.org/SA-CORE-2014-006
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/c0r3dump3d
www.drupal.org/u/jnietotn
www.drupal.org/u/MichaelCu
www.drupal.org/user/49851
www.drupal.org/writing-secure-code
Related
6.4 Medium
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.04 Low
EPSS
Percentile
91.9%