CVE-2014-3704

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.openwall.com/lists/oss-security/2014/10/15/23", "name": "[oss-security] 20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability", "tags": ["Exploit", "Mailing List", "Patch"], "refsource": "MLIST"}, {"url": "https://www.drupal.org/SA-CORE-2014-005", "name": "https://www.drupal.org/SA-CORE-2014-005", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html", "name": "https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html", "tags": ["Exploit", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "http://www.debian.org/security/2014/dsa-3051", "name": "DSA-3051", "tags": ["Third Party Advisory"], "refsource": "DEBIAN"}, {"url": "http://secunia.com/advisories/59972", "name": "59972", "tags": ["Third Party Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.exploit-db.com/exploits/34993", "name": "34993", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "EXPLOIT-DB"}, {"url": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html", "name": "http://packetstormsecurity.com/files/128741/Drupal-HTTP-Parameter-Key-Value-SQL-Injection.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html", "name": "http://packetstormsecurity.com/files/128721/Drupal-7.31-SQL-Injection.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/bid/70595", "name": "70595", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "http://seclists.org/fulldisclosure/2014/Oct/75", "name": "20141016 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability", "tags": ["Exploit", "Mailing List", "Patch", "Third Party Advisory"], "refsource": "FULLDISC"}, {"url": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html", "name": "http://packetstormsecurity.com/files/128720/Drupal-7.X-SQL-Injection.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "MISC"}, {"url": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html", "name": "https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html", "tags": ["Exploit", "Third Party Advisory"], "refsource": "MISC"}, {"url": "http://osvdb.org/show/osvdb/113371", "name": "113371", "tags": ["Broken Link"], "refsource": "OSVDB"}, {"url": "http://www.exploit-db.com/exploits/34984", "name": "34984", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "EXPLOIT-DB"}, {"url": "http://www.exploit-db.com/exploits/34992", "name": "34992", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "EXPLOIT-DB"}, {"url": "http://www.exploit-db.com/exploits/35150", "name": "35150", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "refsource": "EXPLOIT-DB"}, {"url": "http://www.securityfocus.com/archive/1/533706/100/0/threaded", "name": "20141015 Advisory 01/2014: Drupal7 - pre Auth SQL Injection Vulnerability", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-89"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-3704", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-10-16T00:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.32", "versionStartIncluding": "7.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-09-29T14:08Z"}