CVE-2024-55637
published 2024-12-10CVE-2024-55637: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.80%
52.1th percentile
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | core | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | core | >= 8.0.0 < 10.2.11 | 10.2.11 |
| drupal | core | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | core-recommended | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | core-recommended | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | core-recommended | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | drupal | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | drupal | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | drupal | >= 8.0.0 < 10.2.11 | 10.2.11 |
| drupal | drupal | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal_core | >= 11.0.0 < 11.0.8 | 11.0.8 |
| drupal | drupal_core | >= 8.0.0 < 10.2.11 | 10.2.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →This is a gadget chain vulnerability (PHP Object Injection) in Drupal Core — it is not directly exploitable on its own. Detection should focus on identifying unsafe deserialization calls (unserialize() receiving untrusted input) in combination with this gadget chain. ↗
- →Monitor for exploitation attempts that pass unsafe/serialized PHP objects to unserialize() calls within Drupal Core. A separate vulnerability enabling attacker-controlled input to unserialize() must be present for this gadget chain to be triggered. ↗
- ·The gadget chain is only exploitable when chained with a separate deserialization vulnerability that allows attacker-controlled input to reach unserialize(). There are no known exploits in Drupal core itself as of the advisory. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal core contains a potential PHP Object Injection vulnerability
osv·2024-12-10
CVE-2024-55637 [HIGH] Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.
This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before
OSV
CVE-2024-55637: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection
osv·2024-12-10·CVSS 9.8
CVE-2024-55637 [CRITICAL] CVE-2024-55637: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
GHSA
Drupal core contains a potential PHP Object Injection vulnerability
ghsa·2024-12-10
CVE-2024-55637 [HIGH] CWE-502 Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.
This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before
OSV
CVE-2024-55637: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution
osv·2024-11-20
CVE-2024-55637 CVE-2024-55637: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.
Drupal
Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
vendor_drupal·2024-11-20
CVE-2024-55637 [MEDIUM] Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
Title: Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
Vulnerability Type: Gadget chain
Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core. To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError .
Solution: Install the latest
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-10
Published