Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

Project:

Drupal core

Date:

2024-January-17

Security risk:

Moderately critical 11 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Default

Vulnerability:

Denial of Service

Affected versions:

>=8.0 <10.1.8 || >=10.2 <10.2.2

CVE IDs:

CVE-2024-11941

Description:

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).

Sites that do not use the Comment module are not affected.

Solution:

Install the latest version:

If you are using Drupal 10.2, update to Drupal 10.2.2.
If you are using Drupal 10.1, update to Drupal 10.1.8.

All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Drupal 7 is not affected.

Reported By:

Fixed By:

Lee Rowlands of the Drupal Security Team
Benji Fisher of the Drupal Security Team
Juraj Nemec of the Drupal Security Team
xjm of the Drupal Security Team
Lauri Eskola, provisional member of the Drupal Security Team

Contribution record

Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community