SB2014112009 - Fedora EPEL 7 update for drupal7
Published: November 20, 2014 Updated: April 24, 2025
Security Bulletin ID
SB2014112009
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Partial DoS
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Session hijacking (CVE-ID: CVE-2014-9015)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allow a remore user to hijack a valid user's session.
The weakness exists due to specially crafted requests that gives a user access to another user's session and allows attacker to steal a random session.
Successful exploitation of this vulnerability may result in hijacking of the target user's session.
2) Denial of service (CVE-ID: CVE-2014-9016)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Clear
The vulnerability allows a remote user to cause denial of service on the target system.
The weakness exists due to CPU and memory exhaustion. Specially crafted and sent by the attackers requests may lead to site unavailability.
Successful exploitation of this vulnerability may result in denial of service on the vulnerable system.
Remediation
Install update from vendor's website.