Advisory ID: DRUPAL-SA-CORE-2013-002

Project: Drupal core

Version: 7.x

Date: 2013-February-20

Security risk: Critical

Exploitable from: Remote

Vulnerability: Denial of service

Description

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.

CVE identifier(s) issued

CVE-2013-0316

Versions affected

Drupal core 7.x versions prior to 7.20.

Solution

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal core 7.20.

Also see the Drupal core project page.

Reported by

Fixed by

Coordinated by

David Rothstein of the Drupal Security Team

Stéphane Corlosquet of the Drupal Security Team

Peter Wolanin of the Drupal Security Team

Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.