CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
100.0%
Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
This vulnerability can be exploited by anonymous users.
Update: Multiple exploits have been reported in the wild following the release of this security advisory, and Drupal 7 sites which did not update soon after the advisory was released may be compromised. See this follow-up announcement for more information: <https://www.drupal.org/PSA-2014-003>
Install the latest version:
If you are unable to update to Drupal 7.32 you can apply this patch to Drupal’s database.inc file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.
Also see the Drupal core project page and the follow-up public service announcement.
www.drupal.org/contact
www.drupal.org/drupal-7.32-release-notes
www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
www.drupal.org/node/2357241
www.drupal.org/project/drupal
www.drupal.org/PSA-2014-003
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/david_rothstein
www.drupal.org/u/greggles
www.drupal.org/u/klausi
www.drupal.org/u/larowlan
www.drupal.org/writing-secure-code