CVE-2014-9016 — MEDIUM (5.0)

Q: How severe is CVE-2014-9016?

CVE-2014-9016 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-9016?

Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal, Secure Password Hashes Project Secure Passwords Hashes, Debian Debian Linux.

Vulnerability Description

The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

CVSS Score

5.0

MEDIUM

AV:N/AC:L/Au:N/C:N/I:N/A:P

Confidentiality

NONE

Integrity

NONE

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Drupal	Drupal	>= 7.0, < 7.34
Secure Password Hashes Project	Secure Passwords Hashes	>= 6.x-2.0, < 6.x-2.1
Debian	Debian Linux	7.0

References

http://secunia.com/advisories/59164Third Party Advisory
http://secunia.com/advisories/59814Third Party Advisory
http://www.debian.org/security/2014/dsa-3075Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/20/21Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/20/3Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/21/1Mailing ListThird Party Advisory
https://www.drupal.org/SA-CORE-2014-006Vendor Advisory
https://www.drupal.org/node/2378367PatchVendor Advisory
https://www.drupal.org/node/2378375PatchVendor Advisory
http://secunia.com/advisories/59164Third Party Advisory
http://secunia.com/advisories/59814Third Party Advisory
http://www.debian.org/security/2014/dsa-3075Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/20/21Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/20/3Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2014/11/21/1Mailing ListThird Party Advisory

FAQ

What is CVE-2014-9016?

CVE-2014-9016 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and me...

How severe is CVE-2014-9016?

CVE-2014-9016 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-9016?

Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal, Secure Password Hashes Project Secure Passwords Hashes, Debian Debian Linux.