CVE-2014-3704

Name	CVE-2014-3704
Description	The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-3051-1
Debian Bugs	765507

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
drupal7 (PTS)	jessie, jessie (lts)	7.32-1+deb8u19	fixed
	stretch (security), stretch (lts), stretch	7.52-2+deb9u18	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
drupal6	source	(unstable)	(not affected)
drupal7	source	wheezy	7.14-2+deb7u7	DSA-3051-1
drupal7	source	(unstable)	7.32-1		765507

- drupal6 <not-affected> (Only affects Drupal 7)