Main Vulnerability Database SB2014112001

SB2014112001 - Arch Linux update for drupal

Published: November 20, 2014

Security Bulletin ID SB2014112001

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Partial DoS

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 vulnerabilities.

1) Session hijacking (CVE-ID: CVE-2014-9015)

The vulnerability allow a remore user to hijack a valid user's session.
The weakness exists due to specially crafted requests that gives a user access to another user's session and allows attacker to steal a random session.
Successful exploitation of this vulnerability may result in hijacking of the target user's session.

2) Denial of service (CVE-ID: CVE-2014-9016)

The vulnerability allows a remote user to cause denial of service on the target system.
The weakness exists due to CPU and memory exhaustion. Specially crafted and sent by the attackers requests may lead to site unavailability.
Successful exploitation of this vulnerability may result in denial of service on the vulnerable system.

Remediation

Install update from vendor's website.

References

https://www.drupal.org/SA-CORE-2014-006