High severityNVD Advisory· Published Dec 9, 2024· Updated Dec 16, 2024
Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
CVE-2024-55638
Description
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.8.0, < 10.2.11 | 10.2.11 |
drupal/corePackagist | >= 10.3.0, < 10.3.9 | 10.3.9 |
drupal/corePackagist | >= 7.0, < 7.102 | 7.102 |
drupal/core-recommendedPackagist | >= 8.8.0, < 10.2.11 | 10.2.11 |
drupal/core-recommendedPackagist | >= 10.3.0, < 10.3.9 | 10.3.9 |
drupal/core-recommendedPackagist | >= 7.0, < 7.102 | 7.102 |
drupal/drupalPackagist | >= 8.8.0, < 10.2.11 | 10.2.11 |
drupal/drupalPackagist | >= 10.3.0, < 10.3.9 | 10.3.9 |
drupal/drupalPackagist | >= 7.0, < 7.102 | 7.102 |
Affected products
5- osv-coords4 versionspkg:bitnami/drupalpkg:composer/drupal/corepkg:composer/drupal/core-recommendedpkg:composer/drupal/drupal
>= 7.0.0, < 10.3.9+ 3 more
- (no CPE)range: >= 7.0.0, < 10.3.9
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
- (no CPE)range: >= 8.8.0, < 10.2.11
- Range: 7.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-gvf2-2f4g-jqf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-55638ghsaADVISORY
- www.drupal.org/sa-core-2024-008ghsaWEB
News mentions
1- Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008Drupal Security Advisories · Nov 20, 2024