149 行
12 KiB
JSON
149 行
12 KiB
JSON
{
|
|
"canonical_id": "drupal--23ec7fa241",
|
|
"system_id": "drupal",
|
|
"display_name": "Drupal",
|
|
"category": "cms",
|
|
"advisory_mode": "core",
|
|
"title": "Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003",
|
|
"summary": "<div class=\"field field-name-field-project field-type-entityreference field-label-inline clearfix\"><div class=\"field-label\">Project: </div><div class=\"field-items\"><div class=\"field-item even\"><a href=\"/project/drupal\">Drupal core</a></div></div></div><div class=\"field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix\"><div class=\"field-label\">Date: </div><div class=\"field-items\"><div class=\"field-item even\">2025-February-19</div></div></div><div class=\"field field-name-field-sa-criticality field-type-text field-label-inline clearfix\"><div class=\"field-label\">Security risk: </div><div class=\"field-items\"><div class=\"field-item even\"><a href=\"/security-team/risk-levels\" class=\"moderately-critical\" title=\"AC - Access complexity: Complex or highly specific (multi-step, unintuitive process with high number of dependencies)\nA - Authentication: Administrator (broad permissions required where \u201crestrict access\u201d is set to false)\nCI - Confidentiality impact: All non-public data is accessible\nII - Integrity impact: All data can be modified or deleted\nE - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists)\nTD - Target distribution: Only uncommon module configurations are exploitable\"><strong>Moderately critical</strong> 14\u2009\u2215\u200925 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon</a></div></div></div><div class=\"field field-name-field-sa-type field-type-text field-label-inline clearfix\"><div class=\"field-label\">Vulnerability: </div><div class=\"field-items\"><div class=\"field-item even\">Gadget Chain</div></div></div><div class=\"field field-name-field-affected-versions field-type-text field-label-inline clearfix\"><div class=\"field-label\">Affected versions: </div><div class=\"field-items\"><div class=\"field-item even\">>= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3</div></div></div><div class=\"field field-name-field-sa-cve field-type-text field-label-inline clearfix\"><div class=\"field-label\">CVE IDs: </div><div class=\"field-items\"><div class=\"field-item even\">CVE-2025-31674</div></div></div><div class=\"field field-name-field-sa-description field-type-text-long field-label-above\"><div class=\"field-label\">Description: </div><div class=\"field-items\"><div class=\"field-item even\"><p>Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.</p>\n<p>This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to <code class=\"language-php\">unserialize()</code>. There are no such known exploits in Drupal core.</p></div></div></div><div class=\"field field-name-field-sa-solution field-type-text-long field-label-above\"><div class=\"field-label\">Solution: </div><div class=\"field-items\"><div class=\"field-item even\"><p>Install the latest version:</p>\n<ul>\n<li>If you use Drupal 10.3.x, update to <a href=\"https://www.drupal.org/project/drupal/releases/10.3.13\" rel=\"nofollow\">Drupal 10.3.13</a></li>\n<li>If you use Drupal 10.4.x, update to <a href=\"https://www.drupal.org/project/drupal/releases/10.4.3\" rel=\"nofollow\">Drupal 10.4.3</a></li>\n<li>If you use Drupal 11.0.x, update to <a href=\"https://www.drupal.org/project/drupal/releases/11.0.12\" rel=\"nofollow\">Drupal 11.0.12</a></li>\n<li>If you use Drupal 11.1.x, update to <a href=\"https://www.drupal.org/project/drupal/releases/11.1.3\" rel=\"nofollow\">Drupal 11.1.3</a></li>\n</ul>\n<p>All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (<a href=\"https://www.drupal.org/psa-2021-06-29\" rel=\"nofollow\">Drupal 8</a> and <a href=\"https://www.drupal.org/psa-2023-11-01\" rel=\"nofollow\">Drupal 9</a> have both reached end-of-life.)</p></div></div></div><div class=\"field field-name-field-sa-reported-by field-type-text-long field-label-above\"><div class=\"field-label\">Reported By: </div><div class=\"field-items\"><div class=\"field-item even\"><ul>\n<li><a href=\"/u/anzuukino\" rel=\"nofollow\">anzuukino</a></li>\n<li><a href=\"/u/shin24\" rel=\"nofollow\">shin24</a></li>\n</ul></div></div></div><div class=\"field field-name-field-sa-fixed-by field-type-text-long field-label-above\"><div class=\"field-label\">Fixed By: </div><div class=\"field-items\"><div class=\"field-item even\"><ul>\n<li><a href=\"/u/ghost-of-drupal-past\" rel=\"nofollow\">ghost of drupal past</a></li>\n<li><a href=\"/u/longwave\" rel=\"nofollow\">Dave Long (longwave)</a> of the Drupal Security Team</li>\n<li><a href=\"/u/mcdruid\" rel=\"nofollow\">Drew Webber (mcdruid)</a> of the Drupal Security Team</li>\n<li><a href=\"/u/nicxvan\" rel=\"nofollow\">nicxvan</a></li>\n<li><a href=\"/u/shin24\" rel=\"nofollow\">shin24</a></li>\n</ul></div></div></div>",
|
|
"published_at": "Wed, 19 Feb 2025 17:03:28 +0000",
|
|
"updated_at": "Wed, 19 Feb 2025 17:03:28 +0000",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"source_confidence": "official",
|
|
"official_source_url": "https://www.drupal.org/sa-core-2025-003",
|
|
"secondary_source_urls": [],
|
|
"aliases": [],
|
|
"cve_ids": [],
|
|
"ghsa_ids": [],
|
|
"osv_ids": [],
|
|
"affected_versions": [],
|
|
"fixed_versions": [],
|
|
"package_name": null,
|
|
"render_markdown": false,
|
|
"case_path": null,
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"xss-output-encoding",
|
|
"file-upload-validation",
|
|
"plugin-extension-trust-policy"
|
|
],
|
|
"status": "triage",
|
|
"triage_reasons": [
|
|
"missing affected/fixed version details"
|
|
],
|
|
"entity_refs": [
|
|
{
|
|
"entity_id": "drupal",
|
|
"entity_type": "system",
|
|
"relation": "root-system",
|
|
"root_system_id": "drupal",
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_components": [
|
|
{
|
|
"name": "Drupal",
|
|
"entity_id": "drupal",
|
|
"scope": "core",
|
|
"package_name": null,
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_version_ranges": [],
|
|
"fixed_version_ranges": [],
|
|
"introduced_version": null,
|
|
"patched_version": null,
|
|
"version_evidence_sources": [
|
|
"https://www.drupal.org/sa-core-2025-003"
|
|
],
|
|
"affected_version_refs": [],
|
|
"fixed_version_refs": [],
|
|
"patched_version_refs": [],
|
|
"version_sync_confidence": "low",
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
|
|
"version_resolution_needed": true,
|
|
"workflow": {
|
|
"workflow_id": "drupal--23ec7fa241--workflow",
|
|
"vuln_family": "xss",
|
|
"entry_surface": "web-ui-render-path",
|
|
"preconditions": [
|
|
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
|
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
|
|
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
|
],
|
|
"required_role": "editor-or-admin",
|
|
"affected_version_assertion": [
|
|
"\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
|
|
],
|
|
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
|
"request_or_ui_path": [
|
|
"/admin/editor",
|
|
"/preview",
|
|
"/rendered-content"
|
|
],
|
|
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
|
|
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
|
|
"server_evidence_points": [
|
|
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
|
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
|
],
|
|
"browser_evidence_points": [
|
|
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
|
|
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
|
|
],
|
|
"db_or_fs_evidence_points": [
|
|
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
|
|
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
|
|
],
|
|
"detection_signals": [
|
|
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
|
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
|
|
],
|
|
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
|
"patch_validation_steps": [
|
|
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
|
|
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
|
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
|
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
|
],
|
|
"lab_safety_notes": [
|
|
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
|
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
|
|
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
|
|
],
|
|
"review_state": "needs-version-gap-review"
|
|
},
|
|
"verification_status": "triage-manual",
|
|
"verification_mode": "synthetic",
|
|
"last_verified_at": null,
|
|
"last_run_id": null,
|
|
"evidence_bundle": null,
|
|
"historical_status": null,
|
|
"latest_status": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
},
|
|
"repro_profile_id": "xss-generic",
|
|
"artifact_mode": "official-image",
|
|
"blocked_reason": null,
|
|
"metadata": {
|
|
"source_names": [
|
|
"Drupal Security Advisories RSS"
|
|
],
|
|
"source_kinds": [
|
|
"rss-feed"
|
|
],
|
|
"candidate_count": 1,
|
|
"entity_ref_count": 1,
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"workflow_id": "drupal--23ec7fa241--workflow"
|
|
}
|
|
}
|