CVE-2024-55638
published 2024-12-10CVE-2024-55638: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.96%
57.0th percentile
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | core | >= 7.0 < 7.102 | 7.102 |
| drupal | core | >= 8.0.0 < 10.2.11 | 10.2.11 |
| drupal | core | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | core-recommended | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | core-recommended | >= 7.0 < 7.102 | 7.102 |
| drupal | core-recommended | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | drupal | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal | >= 7.0 < 7.102 | 7.102 |
| drupal | drupal | >= 7.0 < 7.102 | 7.102 |
| drupal | drupal | >= 8.0.0 < 10.2.11 | 10.2.11 |
| drupal | drupal | >= 8.8.0 < 10.2.11 | 10.2.11 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 10.3.0 < 10.3.9 | 10.3.9 |
| drupal | drupal_core | >= 7.0 < 7.102 | 7.102 |
| drupal | drupal_core | >= 8.0.0 < 10.2.11 | 10.2.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →Additional checks were added to Drupal core's database code as a mitigation; if using a third-party database driver, check release notes for additional configuration steps that may be required — absence of these checks may indicate an unpatched or misconfigured instance. ↗
- →Flag Drupal Core versions in the affected ranges (7.0–7.101, 8.0.0–10.2.10, 10.3.0–10.3.8) during asset inventory or vulnerability scanning, as these are unpatched against the gadget chain. ↗
- ·The gadget chain itself is not directly exploitable; exploitation requires a separate vulnerability that passes untrusted data to unserialize(). There are no known such exploits in Drupal core at time of disclosure. ↗
- ·Sites using third-party database drivers may require additional manual configuration steps beyond simply updating Drupal core — consult the driver's release notes. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal core contains a potential PHP Object Injection vulnerability
osv·2024-12-10
CVE-2024-55638 [HIGH] Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.
This issue affects Drupal Core: from 7.0 before 7.102, fro
OSV
CVE-2024-55638: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection
osv·2024-12-10·CVSS 9.8
CVE-2024-55638 [CRITICAL] CVE-2024-55638: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
GHSA
Drupal core contains a potential PHP Object Injection vulnerability
ghsa·2024-12-10
CVE-2024-55638 [HIGH] CWE-502 Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.
This issue affects Drupal Core: from 7.0 before 7.102, fro
OSV
CVE-2024-55638: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution
osv·2024-11-20
CVE-2024-55638 CVE-2024-55638: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.
Drupal
Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
vendor_drupal·2024-11-20
CVE-2024-55638 [MEDIUM] Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
Title: Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
Vulnerability Type: Gadget chain
Description: Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize() . There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.
Solutio
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-10
Published