CVE-2024-55637

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 8.0.0 through 10.2.10 Drupal Core versions 10.3.0 through 10.3.8 Drupal Core versions 11.0.0 through 11.0.7

Description: The issue is related to the deserialization of untrusted data, which allows object injection. This can potentially lead to remote code execution if the application deserializes untrusted data due to another vulnerability. A gadget chain in Drupal core is exploitable when an insecure deserialization vulnerability exists, presenting a vector for remote code execution. The vulnerability is mitigated by the fact that a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize().

Recommendations: For versions 8.0.0 through 10.2.10, update to version 10.2.11 or later. For versions 10.3.0 through 10.3.8, update to version 10.3.9 or later. For versions 11.0.0 through 11.0.7, update to version 11.0.8 or later. As a temporary workaround, consider adding types to properties in subclasses of Drupal core's classes to avoid a TypeError. Restrict access to the unserialize() function to minimize the risk of exploitation.