Platform
drupal
Component
drupal
Fixed in
7.102
10.2.11
10.3.9
10.2.11
10.2.11
10.2.11
CVE-2024-55638 is a potential PHP Object Injection vulnerability in Drupal core. While not directly exploitable, it could lead to Remote Code Execution if combined with another vulnerability that allows unsafe input to be passed to unserialize(). This affects Drupal Core versions 9.5.9 and earlier. The vulnerability is fixed in Drupal version 10.2.11.
CVE-2024-55638 identifies a potential PHP Object Injection vulnerability within Drupal Core. While this vulnerability is not directly exploitable on its own, it could potentially lead to Remote Code Execution (RCE) if combined with another exploit that allows an attacker to pass unsafe input to the unserialize() function. The vulnerability is rated as 9.8 on the CVSS scale, indicating a critical risk. It's important to note that Drupal Core currently has no known exploits that directly allow this type of injection. Updating to version 10.2.11 is the primary mitigation step.
The CVE-2024-55638 vulnerability requires a specific context to be exploited. It's not a 'plug-and-play' vulnerability. To be viable, an attacker would need to find a second vulnerability in Drupal Core or a third-party module that allows them to control the input passed to the unserialize() function. This controlled input could then be manipulated to inject a malicious PHP object, potentially leading to arbitrary code execution. The absence of known exploits in Drupal Core indicates that this scenario is currently unlikely, but the possibility exists and justifies patching.
Exploit Status
EPSS
5.15% (90% percentile)
CVSS Vector
The primary mitigation for CVE-2024-55638 is to update Drupal Core to version 10.2.11 or higher. This update includes additional checks to help prevent PHP Object Injection. Although there are no known exploits in Drupal Core that allow direct exploitation of this vulnerability, keeping the core updated is a fundamental security practice. Additionally, it's recommended to review third-party modules installed for potential vulnerabilities that could allow the injection of unsafe data to unserialize(). Continuous monitoring and patching are crucial for maintaining the security of your Drupal site.
Actualice Drupal Core a la última versión disponible. Específicamente, actualice a la versión 7.102, 10.2.11 o 10.3.9, o una versión posterior. Esto corrige la vulnerabilidad de deserialización de datos no confiables.
Vulnerability analysis and critical alerts directly to your inbox.
Yes, even if you don't have third-party modules, it is recommended to update to version 10.2.11 or higher to mitigate the potential risk of CVE-2024-55638. Although exploitation is unlikely, the update is an important preventative measure.
If you can't update immediately, closely monitor your site for suspicious activity and consider implementing firewall rules to restrict access to the unserialize() function.
This vulnerability primarily affects Drupal Core versions. Third-party modules can introduce similar vulnerabilities, so it's important to keep them updated as well.
Use Drupal security auditing tools or consult the vulnerability lists of the third-party modules you use to identify potential issues.
PHP Object Injection is an attack technique that allows an attacker to inject malicious PHP code into an application, which can lead to arbitrary code execution.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.