Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2016-9452

CVE-2016-9452:
Drupal Denial of service via transliterate mechanism

6.5

CVSS Score

Basic Information

CVE ID
CVE-2016-9452
GHSA ID
GHSA-jpj8-49hr-wcwv
EPSS Score
-
CWE
CWE-20
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer>= 8.0, < 8.2.38.2.3
drupal/drupalcomposer>= 8.0, < 8.2.38.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references the transliteration mechanism as the attack vector. The PhpTransliteration::transliterate() method is the core implementation of this functionality in Drupal 8.x. The CWE-20 (Improper Input Validation) alignment suggests the function failed to properly validate/sanitize input before processing. The patched version (8.2.3) likely added input validation or optimized the algorithm to prevent CPU exhaustion via crafted inputs. While no direct commit diff is available, the function's role in URL processing and the vulnerability description strongly implicate it as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** tr*nslit*r*t* m****nism in *rup*l *.x ***or* *.*.* *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** vi* * *r**t** URL.

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s t** tr*nslit*r*tion m****nism *s t** *tt**k v**tor. T** P*pTr*nslit*r*tion::tr*nslit*r*t*() m*t*o* is t** *or* impl*m*nt*tion o* t*is *un*tion*lity in *rup*l *.x. T** *W*-** (Improp*r Input V*li**tion) *li*nm*n