cvelistv5 - cve-2014-3704

CVE-2014-3704 (GCVE-0-2014-3704)

Vulnerability from cvelistv5 – Published: 2014-10-16 00:00 – Updated: 2024-08-06 10:50

Summary

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

Tags

	https://www.drupal.org/SA-CORE-2014-005	x_refsource_CONFIRM
	http://seclists.org/fulldisclosure/2014/Oct/75	mailing-listx_refsource_FULLDISC
	http://www.securityfocus.com/archive/1/533706/100…	mailing-listx_refsource_BUGTRAQ
	https://www.sektioneins.de/en/advisories/advisory…	x_refsource_MISC
	http://www.exploit-db.com/exploits/34984	exploitx_refsource_EXPLOIT-DB
	http://www.exploit-db.com/exploits/35150	exploitx_refsource_EXPLOIT-DB
	http://www.openwall.com/lists/oss-security/2014/1…	mailing-listx_refsource_MLIST
	http://secunia.com/advisories/59972	third-party-advisoryx_refsource_SECUNIA
	http://packetstormsecurity.com/files/128741/Drupa…	x_refsource_MISC
	http://www.exploit-db.com/exploits/34992	exploitx_refsource_EXPLOIT-DB
	http://www.debian.org/security/2014/dsa-3051	vendor-advisoryx_refsource_DEBIAN
	http://www.securityfocus.com/bid/70595	vdb-entryx_refsource_BID
	http://www.exploit-db.com/exploits/34993	exploitx_refsource_EXPLOIT-DB
	http://packetstormsecurity.com/files/128721/Drupa…	x_refsource_MISC
	http://osvdb.org/show/osvdb/113371	vdb-entryx_refsource_OSVDB
	https://www.sektioneins.de/en/blog/14-11-03-drupa…	x_refsource_MISC
	http://packetstormsecurity.com/files/128720/Drupa…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T10:50:17.990Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.drupal.org/SA-CORE-2014-005"
          },
          {
            "name": "20141016 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2014/Oct/75"
          },
          {
            "name": "20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/533706/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html"
          },
          {
            "name": "34984",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "http://www.exploit-db.com/exploits/34984"
          },
          {
            "name": "35150",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "http://www.exploit-db.com/exploits/35150"
          },
          {
            "name": "[oss-security] 20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2014/10/15/23"
          },
          {
            "name": "59972",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/59972"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html"
          },
          {
            "name": "34992",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "http://www.exploit-db.com/exploits/34992"
          },
          {
            "name": "DSA-3051",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2014/dsa-3051"
          },
          {
            "name": "70595",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/70595"
          },
          {
            "name": "34993",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "http://www.exploit-db.com/exploits/34993"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html"
          },
          {
            "name": "113371",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://osvdb.org/show/osvdb/113371"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-10-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.drupal.org/SA-CORE-2014-005"
        },
        {
          "name": "20141016 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2014/Oct/75"
        },
        {
          "name": "20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/533706/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html"
        },
        {
          "name": "34984",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "http://www.exploit-db.com/exploits/34984"
        },
        {
          "name": "35150",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "http://www.exploit-db.com/exploits/35150"
        },
        {
          "name": "[oss-security] 20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2014/10/15/23"
        },
        {
          "name": "59972",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/59972"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html"
        },
        {
          "name": "34992",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "http://www.exploit-db.com/exploits/34992"
        },
        {
          "name": "DSA-3051",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2014/dsa-3051"
        },
        {
          "name": "70595",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/70595"
        },
        {
          "name": "34993",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "http://www.exploit-db.com/exploits/34993"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html"
        },
        {
          "name": "113371",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://osvdb.org/show/osvdb/113371"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2014-3704",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.drupal.org/SA-CORE-2014-005",
              "refsource": "CONFIRM",
              "url": "https://www.drupal.org/SA-CORE-2014-005"
            },
            {
              "name": "20141016 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2014/Oct/75"
            },
            {
              "name": "20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/533706/100/0/threaded"
            },
            {
              "name": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html",
              "refsource": "MISC",
              "url": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html"
            },
            {
              "name": "34984",
              "refsource": "EXPLOIT-DB",
              "url": "http://www.exploit-db.com/exploits/34984"
            },
            {
              "name": "35150",
              "refsource": "EXPLOIT-DB",
              "url": "http://www.exploit-db.com/exploits/35150"
            },
            {
              "name": "[oss-security] 20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2014/10/15/23"
            },
            {
              "name": "59972",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/59972"
            },
            {
              "name": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html"
            },
            {
              "name": "34992",
              "refsource": "EXPLOIT-DB",
              "url": "http://www.exploit-db.com/exploits/34992"
            },
            {
              "name": "DSA-3051",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2014/dsa-3051"
            },
            {
              "name": "70595",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/70595"
            },
            {
              "name": "34993",
              "refsource": "EXPLOIT-DB",
              "url": "http://www.exploit-db.com/exploits/34993"
            },
            {
              "name": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html"
            },
            {
              "name": "113371",
              "refsource": "OSVDB",
              "url": "http://osvdb.org/show/osvdb/113371"
            },
            {
              "name": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html",
              "refsource": "MISC",
              "url": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2014-3704",
    "datePublished": "2014-10-16T00:00:00",
    "dateReserved": "2014-05-14T00:00:00",
    "dateUpdated": "2024-08-06T10:50:17.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.0\", \"versionEndExcluding\": \"7.32\", \"matchCriteriaId\": \"91740A58-2570-49E3-849E-1D3B8C95758C\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"16F59A04-14CF-49E2-9973-645477EA09DA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.\"}, {\"lang\": \"es\", \"value\": \"La funci\\u00f3n expandArguments en la API de la base de datos de abstracci\\u00f3n para Drupal core 7.x anterior a 7.32 no construye correctamente las declaraciones, lo que permite a atacantes remotos inducir a ataques de inyecci\\u00f3n SQL a trav\\u00e9s de un array que contiene claves manipuladas.\"}]",
      "id": "CVE-2014-3704",
      "lastModified": "2024-11-21T02:08:42.297",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2014-10-16T00:55:06.653",
      "references": "[{\"url\": \"http://osvdb.org/show/osvdb/113371\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2014/Oct/75\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Mailing List\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"http://secunia.com/advisories/59972\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.debian.org/security/2014/dsa-3051\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.exploit-db.com/exploits/34984\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.exploit-db.com/exploits/34992\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.exploit-db.com/exploits/34993\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.exploit-db.com/exploits/35150\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2014/10/15/23\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Mailing List\", \"Patch\"]}, {\"url\": \"http://www.securityfocus.com/archive/1/533706/100/0/threaded\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securityfocus.com/bid/70595\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.drupal.org/SA-CORE-2014-005\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"http://osvdb.org/show/osvdb/113371\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2014/Oct/75\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"http://secunia.com/advisories/59972\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.debian.org/security/2014/dsa-3051\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.exploit-db.com/exploits/34984\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.exploit-db.com/exploits/34992\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.exploit-db.com/exploits/34993\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.exploit-db.com/exploits/35150\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2014/10/15/23\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Patch\"]}, {\"url\": \"http://www.securityfocus.com/archive/1/533706/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securityfocus.com/bid/70595\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://www.drupal.org/SA-CORE-2014-005\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-3704\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-10-16T00:55:06.653\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n expandArguments en la API de la base de datos de abstracci\u00f3n para Drupal core 7.x anterior a 7.32 no construye correctamente las declaraciones, lo que permite a atacantes remotos inducir a ataques de inyecci\u00f3n SQL a trav\u00e9s de un array que contiene claves manipuladas.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0\",\"versionEndExcluding\":\"7.32\",\"matchCriteriaId\":\"91740A58-2570-49E3-849E-1D3B8C95758C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16F59A04-14CF-49E2-9973-645477EA09DA\"}]}]}],\"references\":[{\"url\":\"http://osvdb.org/show/osvdb/113371\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2014/Oct/75\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://secunia.com/advisories/59972\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.debian.org/security/2014/dsa-3051\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.exploit-db.com/exploits/34984\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.exploit-db.com/exploits/34992\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.exploit-db.com/exploits/34993\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.exploit-db.com/exploits/35150\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2014/10/15/23\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"http://www.securityfocus.com/archive/1/533706/100/0/threaded\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securityfocus.com/bid/70595\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.drupal.org/SA-CORE-2014-005\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"http://osvdb.org/show/osvdb/113371\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2014/Oct/75\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://secunia.com/advisories/59972\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.debian.org/security/2014/dsa-3051\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.exploit-db.com/exploits/34984\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.exploit-db.com/exploits/34992\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.exploit-db.com/exploits/34993\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.exploit-db.com/exploits/35150\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2014/10/15/23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Patch\"]},{\"url\":\"http://www.securityfocus.com/archive/1/533706/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securityfocus.com/bid/70595\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://www.drupal.org/SA-CORE-2014-005\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

GHSA-F9CM-C972-9975

Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-3704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-10-16T00:55:00Z",
    "severity": "HIGH"
  },
  "details": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.",
  "id": "GHSA-f9cm-c972-9975",
  "modified": "2022-05-13T01:05:42Z",
  "published": "2022-05-13T01:05:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3704"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/SA-CORE-2014-005"
    },
    {
      "type": "WEB",
      "url": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html"
    },
    {
      "type": "WEB",
      "url": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/show/osvdb/113371"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/Oct/75"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59972"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-3051"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/34984"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/34992"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/34993"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/35150"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/10/15/23"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/533706/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/70595"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CERTFR-2014-ALE-008

Vulnerability from certfr_alerte - Published: - Updated:

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance sans authentification préalable.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Drupal core, versions 7.x antérieures à 7.32

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Drupal du 15 octobre 2014

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cP\u003eDrupal core, versions 7.x ant\u00e9rieures \u00e0 7.32\u003c/P\u003e",
  "closed_at": "2015-01-30",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2014-3704",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-3704"
    }
  ],
  "links": [],
  "reference": "CERTFR-2014-ALE-008",
  "revisions": [
    {
      "description": "version initiale ;",
      "revision_date": "2014-10-16T00:00:00.000000"
    },
    {
      "description": "fermeture de l\u0027alerte.",
      "revision_date": "2015-01-30T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans \u003cspan\nclass=\"textit\"\u003eDrupal\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance sans authentification\npr\u00e9alable.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal du 15 octobre 2014",
      "url": "https://www.drupal.org/SA-CORE-2014-005"
    }
  ]
}

CERTFR-2014-ALE-008

Vulnerability from certfr_alerte - Published: - Updated:

Une vulnérabilité a été découverte dans Drupal. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance sans authentification préalable.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Drupal core, versions 7.x antérieures à 7.32

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Drupal du 15 octobre 2014

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cP\u003eDrupal core, versions 7.x ant\u00e9rieures \u00e0 7.32\u003c/P\u003e",
  "closed_at": "2015-01-30",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2014-3704",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-3704"
    }
  ],
  "links": [],
  "reference": "CERTFR-2014-ALE-008",
  "revisions": [
    {
      "description": "version initiale ;",
      "revision_date": "2014-10-16T00:00:00.000000"
    },
    {
      "description": "fermeture de l\u0027alerte.",
      "revision_date": "2015-01-30T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans \u003cspan\nclass=\"textit\"\u003eDrupal\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance sans authentification\npr\u00e9alable.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal du 15 octobre 2014",
      "url": "https://www.drupal.org/SA-CORE-2014-005"
    }
  ]
}

CERTFR-2014-AVI-434

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été corrigée dans Drupal. Elle permet à un attaquant de provoquer une injection de requêtes SQL, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Drupal 7 versions antérieures à 7.32

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Drupal SA-CORE-2014-005 du 15 octobre 2014	None	vendor-advisory
Bulletin de sécurité Drupal SA-CORE-2014-005 du 15 octobre 2014	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cP\u003eDrupal 7 versions ant\u00e9rieures \u00e0 7.32\u003c/P\u003e",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2014-3704",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-3704"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2014-005 du 15 octobre    2014",
      "url": "https://www.drupal.org/SA-CORE-2014-005"
    }
  ],
  "reference": "CERTFR-2014-AVI-434",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2014-10-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Injection SQL"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 corrig\u00e9e dans \u003cspan\nclass=\"textit\"\u003eDrupal\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer\nune injection de requ\u00eates SQL, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2014-005 du 15 octobre 2014",
      "url": null
    }
  ]
}

CERTFR-2014-AVI-434

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Drupal 7 versions antérieures à 7.32

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Drupal SA-CORE-2014-005 du 15 octobre 2014	None	vendor-advisory
Bulletin de sécurité Drupal SA-CORE-2014-005 du 15 octobre 2014	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cP\u003eDrupal 7 versions ant\u00e9rieures \u00e0 7.32\u003c/P\u003e",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2014-3704",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-3704"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2014-005 du 15 octobre    2014",
      "url": "https://www.drupal.org/SA-CORE-2014-005"
    }
  ],
  "reference": "CERTFR-2014-AVI-434",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2014-10-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Injection SQL"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 corrig\u00e9e dans \u003cspan\nclass=\"textit\"\u003eDrupal\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer\nune injection de requ\u00eates SQL, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2014-005 du 15 octobre 2014",
      "url": null
    }
  ]
}

GSD-2014-3704

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-3704

Aliases

CVE-2014-3704

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-3704",
    "description": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.",
    "id": "GSD-2014-3704",
    "references": [
      "https://www.debian.org/security/2014/dsa-3051",
      "https://advisories.mageia.org/CVE-2014-3704.html",
      "https://packetstormsecurity.com/files/cve/CVE-2014-3704"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-3704"
      ],
      "details": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.",
      "id": "GSD-2014-3704",
      "modified": "2023-12-13T01:22:52.916325Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2014-3704",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.drupal.org/SA-CORE-2014-005",
            "refsource": "CONFIRM",
            "url": "https://www.drupal.org/SA-CORE-2014-005"
          },
          {
            "name": "20141016 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2014/Oct/75"
          },
          {
            "name": "20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/533706/100/0/threaded"
          },
          {
            "name": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html",
            "refsource": "MISC",
            "url": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html"
          },
          {
            "name": "34984",
            "refsource": "EXPLOIT-DB",
            "url": "http://www.exploit-db.com/exploits/34984"
          },
          {
            "name": "35150",
            "refsource": "EXPLOIT-DB",
            "url": "http://www.exploit-db.com/exploits/35150"
          },
          {
            "name": "[oss-security] 20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2014/10/15/23"
          },
          {
            "name": "59972",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/59972"
          },
          {
            "name": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html"
          },
          {
            "name": "34992",
            "refsource": "EXPLOIT-DB",
            "url": "http://www.exploit-db.com/exploits/34992"
          },
          {
            "name": "DSA-3051",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2014/dsa-3051"
          },
          {
            "name": "70595",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/70595"
          },
          {
            "name": "34993",
            "refsource": "EXPLOIT-DB",
            "url": "http://www.exploit-db.com/exploits/34993"
          },
          {
            "name": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html"
          },
          {
            "name": "113371",
            "refsource": "OSVDB",
            "url": "http://osvdb.org/show/osvdb/113371"
          },
          {
            "name": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html",
            "refsource": "MISC",
            "url": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html"
          },
          {
            "name": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.32",
                "versionStartIncluding": "7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2014-3704"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-89"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
              "refsource": "MLIST",
              "tags": [
                "Exploit",
                "Mailing List",
                "Patch"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2014/10/15/23"
            },
            {
              "name": "https://www.drupal.org/SA-CORE-2014-005",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://www.drupal.org/SA-CORE-2014-005"
            },
            {
              "name": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html"
            },
            {
              "name": "DSA-3051",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.debian.org/security/2014/dsa-3051"
            },
            {
              "name": "59972",
              "refsource": "SECUNIA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://secunia.com/advisories/59972"
            },
            {
              "name": "34993",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.exploit-db.com/exploits/34993"
            },
            {
              "name": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html"
            },
            {
              "name": "70595",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/70595"
            },
            {
              "name": "20141016 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
              "refsource": "FULLDISC",
              "tags": [
                "Exploit",
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2014/Oct/75"
            },
            {
              "name": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html"
            },
            {
              "name": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html"
            },
            {
              "name": "113371",
              "refsource": "OSVDB",
              "tags": [
                "Broken Link"
              ],
              "url": "http://osvdb.org/show/osvdb/113371"
            },
            {
              "name": "34984",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.exploit-db.com/exploits/34984"
            },
            {
              "name": "34992",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.exploit-db.com/exploits/34992"
            },
            {
              "name": "35150",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.exploit-db.com/exploits/35150"
            },
            {
              "name": "20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability",
              "refsource": "BUGTRAQ",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/archive/1/533706/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2021-09-29T14:08Z",
      "publishedDate": "2014-10-16T00:55Z"
    }
  }
}

FKIE_CVE-2014-3704

Vulnerability from fkie_nvd - Published: 2014-10-16 00:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://osvdb.org/show/osvdb/113371	Broken Link
secalert@redhat.com	http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html	Exploit, Third Party Advisory, VDB Entry
secalert@redhat.com	http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html	Exploit, Third Party Advisory, VDB Entry
secalert@redhat.com	http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html	Exploit, Third Party Advisory, VDB Entry
secalert@redhat.com	http://seclists.org/fulldisclosure/2014/Oct/75	Exploit, Mailing List, Patch, Third Party Advisory
secalert@redhat.com	http://secunia.com/advisories/59972	Third Party Advisory
secalert@redhat.com	http://www.debian.org/security/2014/dsa-3051	Third Party Advisory
secalert@redhat.com	http://www.exploit-db.com/exploits/34984	Exploit, Third Party Advisory, VDB Entry
secalert@redhat.com	http://www.exploit-db.com/exploits/34992	Exploit, Third Party Advisory, VDB Entry
secalert@redhat.com	http://www.exploit-db.com/exploits/34993	Exploit, Third Party Advisory, VDB Entry
secalert@redhat.com	http://www.exploit-db.com/exploits/35150	Exploit, Third Party Advisory, VDB Entry
secalert@redhat.com	http://www.openwall.com/lists/oss-security/2014/10/15/23	Exploit, Mailing List, Patch
secalert@redhat.com	http://www.securityfocus.com/archive/1/533706/100/0/threaded	Third Party Advisory, VDB Entry
secalert@redhat.com	http://www.securityfocus.com/bid/70595	Third Party Advisory, VDB Entry
secalert@redhat.com	https://www.drupal.org/SA-CORE-2014-005	Patch, Vendor Advisory
secalert@redhat.com	https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html	Exploit, Patch, Third Party Advisory
secalert@redhat.com	https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://osvdb.org/show/osvdb/113371	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2014/Oct/75	Exploit, Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/59972	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2014/dsa-3051	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.exploit-db.com/exploits/34984	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.exploit-db.com/exploits/34992	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.exploit-db.com/exploits/34993	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.exploit-db.com/exploits/35150	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/10/15/23	Exploit, Mailing List, Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/533706/100/0/threaded	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/70595	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://www.drupal.org/SA-CORE-2014-005	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	drupal	drupal	*
	debian	debian_linux	7.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "91740A58-2570-49E3-849E-1D3B8C95758C",
              "versionEndExcluding": "7.32",
              "versionStartIncluding": "7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n expandArguments en la API de la base de datos de abstracci\u00f3n para Drupal core 7.x anterior a 7.32 no construye correctamente las declaraciones, lo que permite a atacantes remotos inducir a ataques de inyecci\u00f3n SQL a trav\u00e9s de un array que contiene claves manipuladas."
    }
  ],
  "id": "CVE-2014-3704",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-10-16T00:55:06.653",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://osvdb.org/show/osvdb/113371"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2014/Oct/75"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://secunia.com/advisories/59972"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.debian.org/security/2014/dsa-3051"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/34984"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/34992"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/34993"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/35150"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2014/10/15/23"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/archive/1/533706/100/0/threaded"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/70595"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/SA-CORE-2014-005"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://osvdb.org/show/osvdb/113371"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2014/Oct/75"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://secunia.com/advisories/59972"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.debian.org/security/2014/dsa-3051"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/34984"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/34992"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/34993"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.exploit-db.com/exploits/35150"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2014/10/15/23"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/archive/1/533706/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/70595"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/SA-CORE-2014-005"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-3704 (GCVE-0-2014-3704)

GHSA-F9CM-C972-9975

CERTFR-2014-ALE-008

Solution

CERTFR-2014-ALE-008

Solution

CERTFR-2014-AVI-434

Solution

CERTFR-2014-AVI-434

Solution

GSD-2014-3704

FKIE_CVE-2014-3704

Tags

Sightings

Nomenclature