CRITICAL🇵🇱 Wersja polska

CVE-2024-55636

CVSS 9.8v3.1pub. 2024-12-10upd. 2025-06-02

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

🤖 AI Analysis
How it works

Drupal Core contains a chain of methods (called a gadget chain) that becomes vulnerable to exploitation when another vulnerability exists in the application that enables deserialization of untrusted data. The gadget chain itself does not pose a direct threat; however, it is a vector that enables RCE if the application deserializes data from an untrusted source due to an additional vulnerability. The mechanism is based on CWE-915 (improperly controlled mass property assignment) and CWE-502 (deserialization of untrusted data).

Impact

An attacker can achieve remote code execution (RCE) on the server, which can consequently lead to complete takeover of the application, breach of confidentiality, integrity, and availability of data.

Mitigation & patch

Drupal Core should be updated to version 10.2.11, 10.3.9, or 11.0.8 in accordance with the official security advisory from the vendor available at https://www.drupal.org/sa-core-2024-006

Who is affected

Drupal Core in versions: from 8.0.0 to 10.2.10 (before 10.2.11), from 10.3.0 to 10.3.8 (before 10.3.9), from 11.0.0 to 11.0.7 (before 11.0.8)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Drupal

    APP
    Drupal
    8.0.0 – 10.2.11 (bez)10.3.0 – 10.3.9 (bez)11.0.0 – 11.0.8 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2018-7602CRITICAL9.8⚠ KEVten sam produkt

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentiall...

CVE-2018-7600CRITICAL9.8⚠ KEVten sam produkt

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to ex...

CVE-2024-55638CRITICAL9.8PL ✓ten sam produkt

Deserialization gadget chain w Drupal Core umożliwiający RCE

CVE-2024-55637CRITICAL9.8PL ✓ten sam produkt

Deserializacja niezaufanych danych w Drupal Core umożliwia RCE

CVE-2020-13675CRITICAL9.8ten sam produkt

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correct...