7.5 - DSA-2847

Executive Summary

Summary
Title	drupal7 security update

Informations
Name	DSA-2847	First vendor Publication	2014-01-20
Vendor	Debian	Last vendor Modification	2014-01-20
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2014-1475

Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

CVE-2014-1476

Matt Vance and Damien Tournoud reported an access bypass vulnerability in the taxonomy module. Under certain circumstances, unpublished content can appear on listing pages provided by the taxonomy module and will be visible to users who should not have permission to see it.

These fixes require extra updates to the database which can be done from the administration pages. Furthermore this update introduces a new security hardening element for the form API. Please refer to the upstream advisory at https://drupal.org/SA-CORE-2014-001 for further information.

For the stable distribution (wheezy), these problems have been fixed in version 7.14-2+deb7u2.

For the testing distribution (jessie), these problems have been fixed in version 7.26-1.

For the unstable distribution (sid), these problems have been fixed in version 7.26-1.

We recommend that you upgrade your drupal7 packages.

Original Source

Url : http://www.debian.org/security/2014/dsa-2847

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-264	Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22103

Oval ID:	oval:org.mitre.oval:def:22103
Title:	DSA-2847-1 drupal7 - several
Description:	Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework.
Family:	unix	Class:	patch
Reference(s):	DSA-2847-1 CVE-2014-1475 CVE-2014-1476	Version:	5
Platform(s):	Debian GNU/Linux 7 Debian GNU/kFreeBSD 7	Product(s):	drupal7
Definition Synopsis:
Debian 7 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND drupal7 DPKG is earlier than 0:7.14-2+deb7u2

Definition Id: oval:org.mitre.oval:def:22156

Oval ID:	oval:org.mitre.oval:def:22156
Title:	DSA-2851-1 drupal6 - impersonation
Description:	Christian Maink a and Vladislav Mladenov reported a vulnerability in the OpenID module of Drupal, a fully-featured content management framework. A malicious user could exploit this flaw to log in as other users on the site, including administrators, and hijack their accounts.
Family:	unix	Class:	patch
Reference(s):	DSA-2851-1 CVE-2014-1475	Version:	5
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	drupal6
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND drupal6 DPKG is earlier than 0:6.30-1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Drupal cpe:2.3:a:drupal:drupal:7.24:::::::* cpe:2.3:a:drupal:drupal:7.23:::::::* cpe:2.3:a:drupal:drupal:7.22:::::::* cpe:2.3:a:drupal:drupal:7.21:::::::* cpe:2.3:a:drupal:drupal:7.20:::::::* cpe:2.3:a:drupal:drupal:7.2:::::::* cpe:2.3:a:drupal:drupal:7.19:::::::* cpe:2.3:a:drupal:drupal:7.18:::::::* cpe:2.3:a:drupal:drupal:7.17:::::::* cpe:2.3:a:drupal:drupal:7.16:::::::* cpe:2.3:a:drupal:drupal:7.15:::::::* cpe:2.3:a:drupal:drupal:7.14:::::::* cpe:2.3:a:drupal:drupal:7.13:::::::* cpe:2.3:a:drupal:drupal:7.12:::::::* cpe:2.3:a:drupal:drupal:7.11:::::::* cpe:2.3:a:drupal:drupal:7.10:::::::* cpe:2.3:a:drupal:drupal:7.1:::::::* cpe:2.3:a:drupal:drupal:7.0:rc4:::::: cpe:2.3:a:drupal:drupal:7.0:dev:::::: cpe:2.3:a:drupal:drupal:7.0:beta2:::::: cpe:2.3:a:drupal:drupal:7.0:alpha2:::::: cpe:2.3:a:drupal:drupal:7.0:alpha5:::::: cpe:2.3:a:drupal:drupal:7.0:beta1:::::: cpe:2.3:a:drupal:drupal:7.0:alpha4:::::: cpe:2.3:a:drupal:drupal:7.0:alpha3:::::: cpe:2.3:a:drupal:drupal:7.0:rc1:::::: cpe:2.3:a:drupal:drupal:7.0:alpha7:::::: cpe:2.3:a:drupal:drupal:7.0:alpha1:::::: cpe:2.3:a:drupal:drupal:7.0:::::::* cpe:2.3:a:drupal:drupal:7.0:beta3:::::: cpe:2.3:a:drupal:drupal:7.0:alpha6:::::: cpe:2.3:a:drupal:drupal:7.0:rc2:::::: cpe:2.3:a:drupal:drupal:7.0:rc3:::::: cpe:2.3:a:drupal:drupal:6.28:::::::* cpe:2.3:a:drupal:drupal:6.27:::::::* cpe:2.3:a:drupal:drupal:6.26:::::::* cpe:2.3:a:drupal:drupal:6.25:::::::* cpe:2.3:a:drupal:drupal:6.24:::::::* cpe:2.3:a:drupal:drupal:6.23:::::::* cpe:2.3:a:drupal:drupal:6.22:::::::* cpe:2.3:a:drupal:drupal:6.21:::::::* cpe:2.3:a:drupal:drupal:6.20:::::::* cpe:2.3:a:drupal:drupal:6.2:::::::* cpe:2.3:a:drupal:drupal:6.19:::::::* cpe:2.3:a:drupal:drupal:6.18:::::::* cpe:2.3:a:drupal:drupal:6.17:::::::* cpe:2.3:a:drupal:drupal:6.16:::::::* cpe:2.3:a:drupal:drupal:6.15:::::::* cpe:2.3:a:drupal:drupal:6.14:::::::* cpe:2.3:a:drupal:drupal:6.13:::::::* cpe:2.3:a:drupal:drupal:6.12:::::::* cpe:2.3:a:drupal:drupal:6.11:::::::* cpe:2.3:a:drupal:drupal:6.10:::::::* cpe:2.3:a:drupal:drupal:6.1:::::::* cpe:2.3:a:drupal:drupal:6.0:rc-4:::::: cpe:2.3:a:drupal:drupal:6.0:rc-3:::::: cpe:2.3:a:drupal:drupal:6.0:rc-1:::::: cpe:2.3:a:drupal:drupal:6.0:rc-2:::::: cpe:2.3:a:drupal:drupal:6.0:::::::* cpe:2.3:a:drupal:drupal:6.0:beta4:::::: cpe:2.3:a:drupal:drupal:6.0:rc4:::::: cpe:2.3:a:drupal:drupal:6.0:dev:::::: cpe:2.3:a:drupal:drupal:6.0:beta2:::::: cpe:2.3:a:drupal:drupal:6.0:rc1:::::: cpe:2.3:a:drupal:drupal:6.0:rc2:::::: cpe:2.3:a:drupal:drupal:6.0:beta3:::::: cpe:2.3:a:drupal:drupal:6.0:beta1:::::: cpe:2.3:a:drupal:drupal:6.0:rc3::::::	68

Information Assurance Vulnerability Management (IAVM)

Date	Description
2014-01-23	IAVM : 2014-B-0006 - Multiple Security Vulnerabilities in Drupal Severity : Category II - VMSKEY : V0043618

Nessus® Vulnerability Scanner

Date	Description
2014-02-16	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-031.nasl - Type : ACT_GATHER_INFO
2014-02-03	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2851.nasl - Type : ACT_GATHER_INFO
2014-01-23	Name : The remote web server is running a PHP application that is affected by a secu... File : drupal_6_30.nasl - Type : ACT_GATHER_INFO
2014-01-23	Name : The remote web server is running a PHP application that is affected by securi... File : drupal_7_26.nasl - Type : ACT_GATHER_INFO
2014-01-21	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2847.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:32:30	Multiple Updates
2014-01-25 13:22:16	Multiple Updates
2014-01-24 21:24:59	Multiple Updates
2014-01-21 00:18:15	First insertion

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	2
CPE ID(s)	68
IAVM(s)	1
Nessus® Exploit(s)	5

	Related
7.5	CVE-2014-1475
4	CVE-2014-1476
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)

7.5 - DSA-2847

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Information Assurance Vulnerability Management (IAVM)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU