Resource exhaustion in Drupal - CVE-2014-5267,CVE-2014-5266,CVE-2014-5265
Published: September 14, 2016 / Updated: November 22, 2018
Vulnerability identifier: #VU446
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Clear
CVE-ID: CVE-2014-5267,CVE-2014-5266,CVE-2014-5265
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote user to cause denial of service on the target system.
The weakness is caused by vulnerability of PHP XML parser used by XML-RPC endpoint (xmlrpc.php) to attacks connected with XML payload. The attackers can cause CPU and memory exhaustion, open the maximum number of connection in the site's database that can result in denial of service.
Successful exploitation of this vulnerability may lead to denial of service on the vulnerable system.
The weakness is caused by vulnerability of PHP XML parser used by XML-RPC endpoint (xmlrpc.php) to attacks connected with XML payload. The attackers can cause CPU and memory exhaustion, open the maximum number of connection in the site's database that can result in denial of service.
Successful exploitation of this vulnerability may lead to denial of service on the vulnerable system.
How to mitigate CVE-2014-5267,CVE-2014-5266,CVE-2014-5265
Update 6.x to 6.33.
https://www.drupal.org/drupal-6.33-release-notes
Update 7.x to 7.31.
https://www.drupal.org/drupal-7.31-release-notes
https://www.drupal.org/drupal-6.33-release-notes
Update 7.x to 7.31.
https://www.drupal.org/drupal-7.31-release-notes