Search for vulnerabilities
Vulnerability details: VCID-svtf-jzyy-cbg8
Vulnerability ID VCID-svtf-jzyy-cbg8
Aliases CVE-2024-55638
GHSA-gvf2-2f4g-jqf4
Summary Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases. This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-502 Deserialization of Untrusted Data
System Score Found at
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00312 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00312 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0043 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00511 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00511 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00511 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00511 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00511 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00511 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00511 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00511 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00571 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00571 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00679 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00704 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00809 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.00997 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01088 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.01809 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
epss 0.0339 https://api.first.org/data/v1/epss?cve=CVE-2024-55638
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-gvf2-2f4g-jqf4
cvssv3.1 9.8 https://github.com/drupal/core
generic_textual HIGH https://github.com/drupal/core
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2024-55638
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2024-55638
cvssv3.1 9.8 https://www.drupal.org/sa-core-2024-008
generic_textual HIGH https://www.drupal.org/sa-core-2024-008
ssvc Track https://www.drupal.org/sa-core-2024-008
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-55638
https://github.com/drupal/core
https://nvd.nist.gov/vuln/detail/CVE-2024-55638
https://www.drupal.org/sa-core-2024-008
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
GHSA-gvf2-2f4g-jqf4 https://github.com/advisories/GHSA-gvf2-2f4g-jqf4
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/drupal/core
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-55638
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.drupal.org/sa-core-2024-008
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-10T21:19:33Z/ Found at https://www.drupal.org/sa-core-2024-008
Exploit Prediction Scoring System (EPSS)
Percentile 0.10788
EPSS Score 0.00043
Published At Dec. 11, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-12-11T16:33:28.658523+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-gvf2-2f4g-jqf4/GHSA-gvf2-2f4g-jqf4.json 35.0.0