#VU446 Resource exhaustion in Drupal - CVE-2014-5267,CVE-2014-5266,CVE-2014-5265
Published: September 14, 2016 / Updated: November 22, 2018
Vulnerability identifier: #VU446
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Clear
CVE-ID: CVE-2014-5267,CVE-2014-5266,CVE-2014-5265
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Drupal
Drupal
Software vendor:
Drupal
Drupal
Description
The vulnerability allows a remote user to cause denial of service on the target system.
The weakness is caused by vulnerability of PHP XML parser used by XML-RPC endpoint (xmlrpc.php) to attacks connected with XML payload. The attackers can cause CPU and memory exhaustion, open the maximum number of connection in the site's database that can result in denial of service.
Successful exploitation of this vulnerability may lead to denial of service on the vulnerable system.
The weakness is caused by vulnerability of PHP XML parser used by XML-RPC endpoint (xmlrpc.php) to attacks connected with XML payload. The attackers can cause CPU and memory exhaustion, open the maximum number of connection in the site's database that can result in denial of service.
Successful exploitation of this vulnerability may lead to denial of service on the vulnerable system.
Remediation
Update 6.x to 6.33.
https://www.drupal.org/drupal-6.33-release-notes
Update 7.x to 7.31.
https://www.drupal.org/drupal-7.31-release-notes
https://www.drupal.org/drupal-6.33-release-notes
Update 7.x to 7.31.
https://www.drupal.org/drupal-7.31-release-notes