Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
In Drupal Core, there exists a chain of methods (so-called gadget chain) which by itself does not pose a direct threat, but becomes an attack vector when the application has a separate vulnerability enabling deserialization of untrusted data. An attacker can inject a crafted object (Object Injection) which will be processed by this chain. This results in the possibility of remote code execution without the need for authentication.
An attacker can achieve full remote code execution (RCE) on the server, which may result in takeover of the application, data theft, or further compromise of the infrastructure.
Drupal Core should be updated to version 10.2.11, 10.3.9, or 11.0.8 (or newer). Detailed information is available in the vendor's security advisory: https://www.drupal.org/sa-core-2024-007
Drupal Core in versions: from 8.0.0 to 10.2.11 (before 10.2.11), from 10.3.0 to 10.3.9 (before 10.3.9), from 11.0.0 to 11.0.8 (before 11.0.8)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDrupal
APPDrupal8.0.0 – 10.2.11 (bez)10.3.0 – 10.3.9 (bez)11.0.0 – 11.0.8 (bez)
Related vulnerabilities
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentiall...
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to ex...
Deserialization gadget chain w Drupal Core umożliwiający RCE
Deserialization podatności w Drupal Core umożliwiająca RCE (Object Injection)
Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correct...