Low severityNVD Advisory· Published Dec 9, 2024· Updated Dec 16, 2024
Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
CVE-2024-55636
Description
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.8.0, < 10.2.11 | 10.2.11 |
drupal/corePackagist | >= 10.3.0, < 10.3.9 | 10.3.9 |
drupal/corePackagist | >= 11.0.0, < 11.0.8 | 11.0.8 |
drupal/core-recommendedPackagist | >= 8.8.0, < 10.2.11 | 10.2.11 |
drupal/core-recommendedPackagist | >= 10.3.0, < 10.3.9 | 10.3.9 |
drupal/core-recommendedPackagist | >= 11.0.0, < 11.0.8 | 11.0.8 |
drupal/drupalPackagist | >= 8.8.0, < 10.2.11 | 10.2.11 |
drupal/drupalPackagist | >= 10.3.0, < 10.3.9 | 10.3.9 |
drupal/drupalPackagist | >= 11.0.0, < 11.0.8 | 11.0.8 |
Affected products
5- osv-coords4 versionspkg:bitnami/drupalpkg:composer/drupal/corepkg:composer/drupal/core-recommendedpkg:composer/drupal/drupal
>= 8.0.0, < 10.3.9+ 3 more
- (no CPE)range: >= 8.0.0, < 10.3.9
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
- Range: 8.0.0
Patches
Vulnerability mechanics
References
4News mentions
1- Drupal core - Less critical - Gadget chain - SA-CORE-2024-006Drupal Security Advisories · Nov 20, 2024