Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001 - Security-news

17 Jan 2024


      View online: https://www.drupal.org/sa-core-2024-001
Project: Drupal core [1]
Date: 2024-January-17
Security risk: *Moderately critical* 11∕25
AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Denial of Service
Affected versions: >=8.0 <10.1.8 || >=10.2 <10.2.2
Description: 
The Comment module allows users to reply to comments. In certain cases, an
attacker could make comment reply requests that would trigger a denial of
service (DOS).
Sites that do not use the Comment module are not affected.
Solution: 
Install the latest version:
* If you are using Drupal 10.2, update to Drupal 10.2.2 [3].
   * If you are using Drupal 10.1, update to Drupal 10.1.8 [4].
All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive
security coverage. (Drupal 8 [5] and Drupal 9 [6] have both reached
end-of-life.)
Drupal 7 is not affected.
Reported By: 
   * Alexander Antonenko [7]
   * Doug Green [8]
Fixed By: 
   * Lee Rowlands [9] of the Drupal Security Team
   * Benji Fisher [10] of the Drupal Security Team
   * Juraj Nemec [11] of the Drupal Security Team
   * xjm [12] of the Drupal Security Team
   * Lauri Eskola [13], provisional member of the Drupal Security Team
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/10.2.2
[4] https://www.drupal.org/project/drupal/releases/10.1.8
[5] https://www.drupal.org/psa-2021-06-29
[6] https://www.drupal.org/psa-2023-11-01
[7] https://www.drupal.org/user/225734
[8] https://www.drupal.org/user/29191
[9] https://www.drupal.org/user/395439
[10] https://www.drupal.org/user/683300
[11] https://www.drupal.org/user/272316
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/1078742