Advisory 46 : Drupal Releases Security Advisory for Drupal Core
Release Date : 10th of January 2024
Impact : Moderately CRITICAL
TLP Rating: Clear 
CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provide the following advisory.
What is it?
Drupal released a security advisory to address a vulnerability affecting multiple Drupal core versions. A cyber threat actor could exploit this vulnerability to cause a denial-of-service (DOS) attack.
What are the Systems affected?
Affected Versions: >=8.0 <10.1.8 || >=10.2 <10.2.2
What this means?
The comment module allows users to reply to comments. In certain cases, an attacker could make comments and reply requests that would trigger a denial of services (DOS).
Sites that do not use the Comment module are not affected.
Mitigation process
- Administrators are recommended to install the latest version
- if you are using Drupal 10.2, update to Drupal 10.2.2.
- If you are using Drupal 10.1, update to Drupal 10.1.8.
All versions of Drupal 10 prior to 10.1 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Drupal 7 is not affected.
CERTVU urge administrators to review Drupal security advisory SA-CORE-2024-001 for more information and apply the necessary update.
References
- https://www.cisa.gov/news-events/alerts/2024/01/18/drupal-releases-security-advisory-drupal-core
- https://www.drupal.org/sa-core-2024-001
- Download advisory (English): Drupal Releases Security Advisory for Drupal Core
- Download advisory (Bislama): Drupal i Rilisim Sekuriti Advaeseri blong Drupal Core
- Download advisory (French): Avis sur Drupal