Plattform
drupal
Komponente
drupal
Behoben in
10.2.11
10.3.9
11.0.8
10.2.11
10.2.11
10.2.11
10.2.11
CVE-2024-55637 identifies a potential PHP Object Injection vulnerability within Drupal Core. While this vulnerability is not directly exploitable on its own, it could be leveraged for Remote Code Execution (RCE) if combined with another exploit allowing unsafe input to unserialize(). This vulnerability affects Drupal Core versions up to 9.5.9 and has been addressed in version 10.2.11.
The impact of CVE-2024-55637 is significantly more severe than CVE-2024-55636, as successful exploitation could lead to Remote Code Execution. An attacker, possessing a separate vulnerability to inject malicious data into the unserialize() function, could execute arbitrary code on the server hosting the Drupal instance. This could result in complete system compromise, data theft, malware installation, and lateral movement within the network. The blast radius is extensive, potentially impacting all systems accessible from the compromised Drupal server. This vulnerability shares similarities with the Log4Shell exploitation pattern, highlighting the critical need for immediate remediation.
CVE-2024-55637 was published on December 10, 2024. It is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Public proof-of-concept (POC) exploits are not currently known, but the potential for RCE makes this a high-priority vulnerability. The NVD entry provides further details and potential attack vectors. Given the potential for RCE, active monitoring and threat hunting are strongly recommended.
Organizations utilizing Drupal Core versions 9.5.9 and earlier, particularly those with custom modules or themes, are at increased risk. Shared hosting environments running Drupal are also vulnerable, as they may lack control over core updates. Any deployment relying on untrusted input being processed by Drupal's unserialization functions is potentially at risk.
disclosure
Exploit-Status
EPSS
7.61% (92% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-55637 is to immediately upgrade Drupal Core to version 10.2.11 or later. This version includes type declarations for properties in core classes, which helps prevent object injection. If upgrading is not immediately feasible, implement strict input validation and sanitization to prevent malicious data from reaching the unserialize() function. Consider implementing a Web Application Firewall (WAF) with rules to detect and block attempts to exploit this vulnerability by monitoring for suspicious unserialization patterns. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious payload (if available) and verifying that code execution is prevented.
Actualice Drupal Core a la última versión disponible. Para las versiones 8.x a 10.2.x, actualice a la versión 10.2.11 o superior. Para las versiones 10.3.x, actualice a la versión 10.3.9 o superior. Para las versiones 11.0.x, actualice a la versión 11.0.8 o superior.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-55637 is a CRITICAL vulnerability in Drupal Core where malicious PHP objects could potentially be injected, leading to Remote Code Execution if combined with another exploit.
Yes, if you are running Drupal Core versions 9.5.9 or earlier, you are potentially affected by this vulnerability.
Upgrade Drupal Core to version 10.2.11 or later to mitigate this vulnerability. Implement strict input validation as an interim measure.
Currently, there is no evidence of active exploitation in the wild, but the potential for RCE warrants prompt remediation.
Refer to the official Drupal security advisory at https://www.drupal.org/security/advisories/cve-2024-55637 for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.
Video-Szenen
The primary mitigation for CVE-2024-55637 is to immediately upgrade Drupal Core to version 10.2.11 or later. This version includes type declarations for properties in core classes, which helps prevent object injection. If upgrading is not immediately feasible, implement strict input validation and sanitization to prevent malicious data from reaching the `unserialize()` function. Consider implementing a Web Application Firewall (WAF) with rules to detect and block attempts to exploit this vulnerability by monitoring for suspicious unserialization patterns. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious payload (if available) and verifying that code execution is prevented.