===================================================================== CERT-Renater Note d'Information No. 2024/VULN041 _____________________________________________________________________ DATE : 18/01/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Drupal core versions prior to 10.2.2, 10.1.8. ===================================================================== https://www.drupal.org/sa-core-2024-001 _____________________________________________________________________ Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001 Project: Drupal core Date: 2024-January-17 Security risk: Moderately critical 11∕25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default Vulnerability: Denial of Service Affected versions: >=8.0 <10.1.8 || >=10.2 <10.2.2 Description: The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS). Sites that do not use the Comment module are not affected. Solution: Install the latest version: If you are using Drupal 10.2, update to Drupal 10.2.2. If you are using Drupal 10.1, update to Drupal 10.1.8. All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Drupal 7 is not affected. Reported By: Alexander Antonenko Doug Green Fixed By: Lee Rowlands of the Drupal Security Team Benji Fisher of the Drupal Security Team Juraj Nemec of the Drupal Security Team xjm of the Drupal Security Team Lauri Eskola, provisional member of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================