Denial of service in Drupal Drupal
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Denial of service
EUVDB-ID: #VU458
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-0316
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote user to cause denial of service on the target system.
The weakness exists due to abusing of Image module permissions. Excessive on-demand production of new image derivatives that leads to filling of server disk space and high CPU load may make the site invalid.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Update to 7.20.
https://www.drupal.org/drupal-7.20-release-notes
Drupal: 7.0 - 7.19
CPE2.3- cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.11:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.16:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.17:*:*:*:*:*:*:*
https://www.drupal.org/SA-CORE-2013-002
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
