CVE-2024-55638

Name of the Vulnerable Software and Affected Versions: Drupal Core versions 7.0 through 7.101 Drupal Core versions 8.0.0 through 10.2.10 Drupal Core versions 10.3.0 through 10.3.8

Description: The issue is related to the deserialization of untrusted data, which allows object injection. This can potentially lead to remote code execution if the application deserializes untrusted data due to another vulnerability. A gadget chain in Drupal core is exploitable when an insecure deserialization vulnerability exists, presenting a vector for remote code execution. The vulnerability is not directly exploitable and requires a separate vulnerability to allow an attacker to pass unsafe input to unserialize().

Recommendations: For versions 7.0 through 7.101, update to version 7.102 or later. For versions 8.0.0 through 10.2.10, update to version 10.2.11 or later. For versions 10.3.0 through 10.3.8, update to version 10.3.9 or later. As a temporary workaround, consider adding additional checks to the database code to help protect against this potential vulnerability. If using a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.