DRUPAL-CONTRIB-2018-022

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/drd_agent/DRUPAL-CONTRIB-2018-022.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2018-022

Published

2018-04-25T17:37:20Z

Modified

2025-12-10T23:33:32.625770Z

Summary

[none]

Details

This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.

The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.

References

https://www.drupal.org/sa-contrib-2018-022

Credits

- David Snopek
- - https://www.drupal.org/user/266527

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/drd_agent

Package

Name: drupal/drd_agent
Purl: pkg:composer/drupal/drd_agent

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.7.0

Database specific

{
    "constraint": "<3.7.0"
}

Database specific

affected_versions

"<3.7.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/drd_agent/DRUPAL-CONTRIB-2018-022.json"