View online: https://www.drupal.org/sa-contrib-2024-039 Project: Security Kit [1] Date: 2024-September-11 Security risk: *Less critical* 9 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default [2] Vulnerability: Denial of Service Affected versions: <2.0.3 Description:  This module provides Drupal with various security-hardening options, for example by emitting various configurable HTTP response headers. The module doesn't sufficiently validate input in Content Security Policy (CSP) violation reports. This can cause errors when a logging module (e.g. dblog or syslog) attempts to parse the resulting log message which contains invalid data. This vulnerability is mitigated by the fact that to be affected a site must have seckit's CSP reporting functionality enabled. Recent versions of Drupal 10 and 11 core are not vulnerable due to improved parsing of log messages [3]. Solution:  Install the latest version: * If you use the 7.x-1.x branch of the seckit module, upgrade to seckit 7.x-1.13 [4] * If you use the 2.0.x branch of the seckit module, upgrade to seckit 2.0.3 [5] Reported By:  * _b0lli [6] Fixed By:  * jweowu [7] * Drew Webber [8] of the Drupal Security Team Coordinated By:  * Greg Knaddison [9] of the Drupal Security Team * Drew Webber [10] of the Drupal Security Team * Heine Deelstra [11] of the Drupal Security Team [1] https://www.drupal.org/project/seckit [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/issues/2481349 [4] https://www.drupal.org/project/seckit/releases/7.x-1.13 [5] https://www.drupal.org/project/seckit/releases/2.0.3 [6] https://www.drupal.org/user/3827467 [7] https://www.drupal.org/user/152788 [8] https://www.drupal.org/user/255969 [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/mcdruid [11] https://www.drupal.org/user/17943