Drupal Password Hashing Denial Of Service Vulnerability Network Vulnerability

Summary

A vulnerability in the password hashing API of Drupal 7 can lead to a DoS.

Impact

An unauthenticated attacker can cause a denial of service. Impact Level: Application

Solution

Upgrade to Drupal 7.34 or later

Insight

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. An attacker can send specially crafted requests resulting in CPU and memory exhaustion.

Affected

Drupal 7

Detection

Check the version of Drupal.

References

http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html
https://www.drupal.org/SA-CORE-2014-006

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-9016

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:N/I:N/A:P

Related Vulnerabilities

Apache Rave User Information Disclosure Vulnerability
Adobe ColdFusion HTTP Response Splitting Vulnerability
Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability
Adobe ColdFusion Multiple Path Disclosure Vulnerabilities

Drupal Password Hashing Denial of Service Vulnerability

Take action and discover your vulnerabilities