CVE-2024-55638

Source
https://cve.org/CVERecord?id=CVE-2024-55638
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55638.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-55638
Aliases
Downstream
Published
2024-12-09T23:26:30.780Z
Modified
2026-07-15T01:49:18.885728509Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
Details

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

Database specific
{
    "cna_assigner": "drupal",
    "cwe_ids": [
        "CWE-915"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55638.json"
}
References

Affected packages

Git / git.drupalcode.org/project/drupal

Affected ranges

Type
GIT
Repo
https://git.drupalcode.org/project/drupal
Events
Introduced
497914920385b7016ac9c9367e0198530787adf2
Fixed
fa67320cf2109f1102201da5f66fd189c56f8b25
Introduced
35c2f3ca5c935f3d8bde15932a712677c9bbd50f
Fixed
2570b33d6e36d5835119b683af0d6a866593276b
Introduced
150df8b6d02131a72a34ec1cb5444c191ae5e407
Fixed
f2093af42504324a1f55ca1783eab5b8a93afaa0
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "7.0"
        },
        {
            "fixed": "7.102"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "10.2.11"
        },
        {
            "introduced": "10.3.0"
        },
        {
            "fixed": "10.3.9"
        }
    ]
}
Type
GIT
Repo
https://github.com/drupal/drupal
Events
Database specific
{
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "7.0"
        },
        {
            "fixed": "7.102"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "10.2.11"
        },
        {
            "introduced": "10.3.0"
        },
        {
            "fixed": "10.3.9"
        }
    ],
    "cpe": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"
}

Affected versions

10.*
10.0.0-alpha1
10.0.0-alpha3
10.0.0-alpha4
10.0.0-alpha5
10.1.0-alpha1
10.2.0
10.2.0-alpha1
10.2.0-beta1
10.2.0-rc1
10.2.1
10.2.10
10.2.3
10.2.4
10.2.5
10.2.6
10.2.7
10.2.8
10.2.9
10.3.0-beta1
10.3.0-rc1
10.3.1
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.3.7
10.3.8
7.*
7.0
7.10
7.100
7.101
7.12
7.14
7.15
7.17
7.22
7.23
7.25
7.28
7.30
7.33
7.36
7.37
7.4
7.40
7.42
7.43
7.50
7.51
7.54
7.55
7.56
7.6
7.61
7.64
7.68
7.7
7.71
7.76
7.77
7.79
7.8
7.81
7.83
7.84
7.85
7.87
7.89
7.9
7.90
7.92
7.93
7.94
7.97
7.98
7.99
8.*
8.0.0
8.1.0-beta1
9.*
9.0.0-alpha1
9.0.0-alpha2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55638.json"