Plattform
drupal
Komponente
drupal
Behoben in
7.102
10.2.11
10.3.9
10.2.11
10.2.11
10.2.11
CVE-2024-55638 describes a potential PHP Object Injection vulnerability discovered in Drupal Core. While not directly exploitable on its own, this flaw could be leveraged for Remote Code Execution (RCE) if combined with a separate vulnerability allowing unsafe input to unserialize(). This vulnerability affects Drupal Core versions up to 9.5.9, but is resolved in version 10.2.11.
The core of the vulnerability lies in the potential for an attacker to inject malicious PHP objects. While Drupal Core currently lacks a known vulnerability allowing direct exploitation of this injection, the risk remains if another flaw exists that can pass unsafe data to the unserialize() function. Successful exploitation could allow an attacker to execute arbitrary code on the server, potentially leading to complete system compromise, data exfiltration, and denial of service. The blast radius is significant, impacting any system running a vulnerable Drupal Core instance.
CVE-2024-55638 is not currently tracked on KEV or EPSS. The CVSS score of 9.8 (CRITICAL) indicates a high potential for exploitation if a suitable attack vector is found. No public Proof-of-Concept (POC) exploits are currently known. Published on 2024-12-10.
Exploit-Status
EPSS
5.15% (90% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-55638 is to upgrade Drupal Core to version 10.2.11 or later. This version includes additional checks in the database code designed to prevent the object injection. If immediate upgrading is not feasible, carefully review third-party database driver release notes for any related vulnerabilities and apply necessary patches. Consider implementing a Web Application Firewall (WAF) with rules to detect and block suspicious unserialization attempts as a temporary measure. After upgrading, confirm the fix by attempting to trigger the vulnerable code path and verifying that it is now properly sanitized.
Actualice Drupal Core a la última versión disponible. Específicamente, actualice a la versión 7.102, 10.2.11 o 10.3.9, o una versión posterior. Esto corrige la vulnerabilidad de deserialización de datos no confiables.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Yes, even if you don't have third-party modules, it is recommended to update to version 10.2.11 or higher to mitigate the potential risk of CVE-2024-55638. Although exploitation is unlikely, the update is an important preventative measure.
If you can't update immediately, closely monitor your site for suspicious activity and consider implementing firewall rules to restrict access to the unserialize() function.
This vulnerability primarily affects Drupal Core versions. Third-party modules can introduce similar vulnerabilities, so it's important to keep them updated as well.
Use Drupal security auditing tools or consult the vulnerability lists of the third-party modules you use to identify potential issues.
PHP Object Injection is an attack technique that allows an attacker to inject malicious PHP code into an application, which can lead to arbitrary code execution.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.