Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Drupal Core contains a chain of methods (called a gadget chain) that becomes vulnerable to exploitation when another vulnerability exists in the application that enables deserialization of untrusted data. The gadget chain itself does not pose a direct threat; however, it is a vector that enables RCE if the application deserializes data from an untrusted source due to an additional vulnerability. The mechanism is based on CWE-915 (improperly controlled mass property assignment) and CWE-502 (deserialization of untrusted data).
An attacker can achieve remote code execution (RCE) on the server, which can consequently lead to complete takeover of the application, breach of confidentiality, integrity, and availability of data.
Drupal Core should be updated to version 10.2.11, 10.3.9, or 11.0.8 in accordance with the official security advisory from the vendor available at https://www.drupal.org/sa-core-2024-006
Drupal Core in versions: from 8.0.0 to 10.2.10 (before 10.2.11), from 10.3.0 to 10.3.8 (before 10.3.9), from 11.0.0 to 11.0.7 (before 11.0.8)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDrupal
APPDrupal8.0.0 – 10.2.11 (bez)10.3.0 – 10.3.9 (bez)11.0.0 – 11.0.8 (bez)
Related vulnerabilities
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentiall...
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to ex...
Deserialization gadget chain w Drupal Core umożliwiający RCE
Deserializacja niezaufanych danych w Drupal Core umożliwia RCE
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correct...