7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
AI Score
Confidence
High
0.975 High
EPSS
Percentile
100.0%
Gunnar Wolf uploaded new packages for Drupal7 which fixed the
following security problems:
CVE 2014-3704 / SA-CORE-2014-005:
Highly critical: Pre Auth SQL injection
The expandArguments function in the database abstraction API in
Drupal core 7.x before 7.32 does not properly construct prepared
statements, which allows remote attackers to conduct SQL injection
attacks via an array containing crafted keys.
https://www.drupal.org/SA-CORE-2014-005
https://vulners.com/cve/CVE-2014-3704
https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
For the squeeze-backports distribution the problems have been fixed in
version 7.14-2+deb7u7~bpo60+1.
For the wheezy-backports distribution the problems have been fixed in
version 7.32-1~bpo70+1.
Attachment:
signature.asc
Description: Digital signature