VYPR
Low severityNVD Advisory· Published Dec 9, 2024· Updated Dec 16, 2024

Drupal core - Less critical - Gadget chain - SA-CORE-2024-006

CVE-2024-55636

Description

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
drupal/corePackagist
>= 8.8.0, < 10.2.1110.2.11
drupal/corePackagist
>= 10.3.0, < 10.3.910.3.9
drupal/corePackagist
>= 11.0.0, < 11.0.811.0.8
drupal/core-recommendedPackagist
>= 8.8.0, < 10.2.1110.2.11
drupal/core-recommendedPackagist
>= 10.3.0, < 10.3.910.3.9
drupal/core-recommendedPackagist
>= 11.0.0, < 11.0.811.0.8
drupal/drupalPackagist
>= 8.8.0, < 10.2.1110.2.11
drupal/drupalPackagist
>= 10.3.0, < 10.3.910.3.9
drupal/drupalPackagist
>= 11.0.0, < 11.0.811.0.8

Affected products

5

Patches

Vulnerability mechanics

References

4

News mentions

1