CVE-2014-3704

Drupal HTTP Parameter Key/Value SQL Injection

Severity Score

7.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

La función expandArguments en la API de la base de datos de abstracción para Drupal core 7.x anterior a 7.32 no construye correctamente las declaraciones, lo que permite a atacantes remotos inducir a ataques de inyección SQL a través de un array que contiene claves manipuladas.

Drupal versions 7.0 through 7.31 suffer from a remote SQL injection vulnerability.

*Credits: N/A

CVSS Scores

NISTv2 7.5

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-05-14 CVE Reserved
2014-10-15 First Exploit
2014-10-16 CVE Published
2024-08-06 CVE Updated
2024-08-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (26)

URL	Tag	Source
http://osvdb.org/show/osvdb/113371	Broken Link
http://secunia.com/advisories/59972	Third Party Advisory
http://www.securityfocus.com/archive/1/533706/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/70595	Third Party Advisory
http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
https://www.whitewinterwolf.com/posts/2017/11/16/drupageddon-revisited-a-new-path-from-sql-injection-to-remote-command-execution-cve-2014-3704

URL	Date	SRC
https://www.exploit-db.com/exploits/34992	2014-10-17
https://www.exploit-db.com/exploits/34993	2014-10-17
https://www.exploit-db.com/exploits/44355	2014-11-03
https://www.exploit-db.com/exploits/35150	2014-11-03
https://www.exploit-db.com/exploits/34984	2014-10-16
https://github.com/happynote3966/CVE-2014-3704	2018-07-17
http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html	2024-08-06
http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html	2024-08-06
http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html	2024-08-06
http://seclists.org/fulldisclosure/2014/Oct/75	2024-08-06
http://www.exploit-db.com/exploits/34984	2024-08-06
http://www.exploit-db.com/exploits/34992	2024-08-06
http://www.exploit-db.com/exploits/34993	2024-08-06
http://www.exploit-db.com/exploits/35150	2024-08-06
http://www.openwall.com/lists/oss-security/2014/10/15/23	2024-08-06
https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html	2024-08-06
https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html	2024-08-06
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/drupal_drupageddon.rb	2014-10-15

URL	Date	SRC
https://www.drupal.org/SA-CORE-2014-005	2014-10-15

URL	Date	SRC
http://www.debian.org/security/2014/dsa-3051	2021-09-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Drupal Search vendor "Drupal"		Drupal Search vendor "Drupal" for product "Drupal"				>= 7.0 < 7.32 Search vendor "Drupal" for product "Drupal" and version " >= 7.0 < 7.32"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected