CVE-2014-3704: SQL Injection
First published: Thu Oct 16 2014(Updated: )
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Drupal Drupal | >=7.0<7.32 | |
| Debian GNU/Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://osvdb.org/show/osvdb/113371
- http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html
- http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html
- http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html
- http://seclists.org/fulldisclosure/2014/Oct/75
- http://secunia.com/advisories/59972
- http://www.debian.org/security/2014/dsa-3051
- http://www.exploit-db.com/exploits/34984
- http://www.exploit-db.com/exploits/34992
- http://www.exploit-db.com/exploits/34993
- http://www.exploit-db.com/exploits/35150
- http://www.openwall.com/lists/oss-security/2014/10/15/23
- http://www.securityfocus.com/archive/1/533706/100/0/threaded
- http://www.securityfocus.com/bid/70595
- https://www.drupal.org/SA-CORE-2014-005
- https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
- https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html
Frequently Asked Questions
What is the severity of CVE-2014-3704?
CVE-2014-3704 has a critical severity rating due to its potential for SQL injection attacks.
How do I fix CVE-2014-3704?
To remediate CVE-2014-3704, upgrade Drupal to version 7.32 or later.
Which versions of Drupal are affected by CVE-2014-3704?
CVE-2014-3704 affects Drupal core versions prior to 7.32.
Can CVE-2014-3704 be exploited remotely?
Yes, CVE-2014-3704 can be exploited by remote attackers through crafted SQL inputs.
What are the potential impacts of CVE-2014-3704?
The potential impacts of CVE-2014-3704 include unauthorized data access and possible database manipulation.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/drupal
- canonical/drupal drupal
- version/drupal drupal/7.0
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/7.0