CVE-2024-55636
published 2024-12-10CVE-2024-55636: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.90%
55.3th percentile
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | core | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | core | >= 8.0.0 < 10.2.11 | 10.2.11 |
| drupal | core | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | core-recommended | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | core-recommended | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | core-recommended | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | drupal | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | drupal | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | drupal | >= 8.0.0 < 10.2.11 | 10.2.11 |
| drupal | drupal | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal_core | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | drupal_core | >= 8.0.0 < 10.2.11 | 10.2.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →This is a gadget chain vulnerability — not directly exploitable on its own. Detection should focus on identifying a separate insecure deserialization sink (a vulnerability passing untrusted data to unserialize()) in the application, which would be the actual attack vector enabling exploitation of this gadget chain. ↗
- →The gadget chain, if triggered, leads to Arbitrary File Deletion. Monitor for unexpected file deletions on the Drupal server, particularly in web root or configuration directories, as a post-exploitation indicator. ↗
- →Audit Drupal Core version to identify vulnerable instances: affected ranges are 8.0.0 before 10.2.11, 10.3.0 before 10.3.9, and 11.0.0 before 11.0.8. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
vendor_drupal·2024-11-20
CVE-2024-55636 [LOW] Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
Title: Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
Vulnerability Type: Gadget chain
Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core. To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError .
Solution: Install the latest version: If you
OSV
Drupal core contains a potential PHP Object Injection vulnerability
osv·2024-12-10
CVE-2024-55636 [LOW] Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.
This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, fro
GHSA
Drupal core contains a potential PHP Object Injection vulnerability
ghsa·2024-12-10
CVE-2024-55636 [LOW] CWE-502 Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.
This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, fro
OSV
CVE-2024-55636: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection
osv·2024-12-10·CVSS 9.8
CVE-2024-55636 [CRITICAL] CVE-2024-55636: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
OSV
CVE-2024-55636: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion
osv·2024-11-20
CVE-2024-55636 CVE-2024-55636: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-10
Published