CVE-2024-55636

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 8.0.0 through 10.2.10 Drupal Core versions 10.3.0 through 10.3.8 Drupal Core versions 11.0.0 through 11.0.7

Description: The issue is related to the deserialization of untrusted data, which allows object injection. This can potentially lead to remote code execution if the application deserializes untrusted data due to another vulnerability. A gadget chain in Drupal core is exploitable when an insecure deserialization vulnerability exists, presenting a vector for remote code execution. The vulnerability may also allow an attacker to delete arbitrary files.

Recommendations: For versions 8.0.0 through 10.2.10, update to version 10.2.11 or later. For versions 10.3.0 through 10.3.8, update to version 10.3.9 or later. For versions 11.0.0 through 11.0.7, update to version 11.0.8 or later. As a temporary workaround, consider restricting the use of the unserialize() function to minimize the risk of exploitation. To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.