145 行
12 KiB
JSON
145 行
12 KiB
JSON
{
|
|
"canonical_id": "drupal--dffda84bb1",
|
|
"system_id": "drupal",
|
|
"display_name": "Drupal",
|
|
"category": "cms",
|
|
"advisory_mode": "core",
|
|
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007",
|
|
"summary": "<div class=\"field field-name-field-project field-type-entityreference field-label-inline clearfix\"><div class=\"field-label\">Project: </div><div class=\"field-items\"><div class=\"field-item even\"><a href=\"/project/drupal\">Drupal core</a></div></div></div><div class=\"field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix\"><div class=\"field-label\">Date: </div><div class=\"field-items\"><div class=\"field-item even\">2024-November-20</div></div></div><div class=\"field field-name-field-sa-criticality field-type-text field-label-inline clearfix\"><div class=\"field-label\">Security risk: </div><div class=\"field-items\"><div class=\"field-item even\"><a href=\"/security-team/risk-levels\" class=\"moderately-critical\" title=\"AC - Access complexity: Complex or highly specific (multi-step, unintuitive process with high number of dependencies)\nA - Authentication: Administrator (broad permissions required where \u201crestrict access\u201d is set to false)\nCI - Confidentiality impact: All non-public data is accessible\nII - Integrity impact: All data can be modified or deleted\nE - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists)\nTD - Target distribution: Only uncommon module configurations are exploitable\"><strong>Moderately critical</strong> 14\u2009\u2215\u200925 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon</a></div></div></div><div class=\"field field-name-field-sa-type field-type-text field-label-inline clearfix\"><div class=\"field-label\">Vulnerability: </div><div class=\"field-items\"><div class=\"field-item even\">Gadget chain</div></div></div><div class=\"field field-name-field-affected-versions field-type-text field-label-inline clearfix\"><div class=\"field-label\">Affected versions: </div><div class=\"field-items\"><div class=\"field-item even\">>= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8</div></div></div><div class=\"field field-name-field-sa-cve field-type-text field-label-inline clearfix\"><div class=\"field-label\">CVE IDs: </div><div class=\"field-items\"><div class=\"field-item even\">CVE-2024-55637</div></div></div><div class=\"field field-name-field-sa-description field-type-text-long field-label-above\"><div class=\"field-label\">Description: </div><div class=\"field-items\"><div class=\"field-item even\"><p>Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.</p>\n<p>This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to <code class=\"language-php\">unserialize()</code>. There are no such known exploits in Drupal core.</p>\n<p>To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a <code class=\"language-php\">TypeError</code>.</p></div></div></div><div class=\"field field-name-field-sa-solution field-type-text-long field-label-above\"><div class=\"field-label\">Solution: </div><div class=\"field-items\"><div class=\"field-item even\"><p>Install the latest version:</p>\n<ul>\n<li>If you are using Drupal 10.2, update to <a href=\"https://www.drupal.org/project/drupal/releases/10.2.11\" rel=\"nofollow\">Drupal 10.2.11.</a></li>\n<li>If you are using Drupal 10.3, update to <a href=\"https://www.drupal.org/project/drupal/releases/10.3.9\" rel=\"nofollow\">Drupal 10.3.9.</a></li>\n<li>If you are using Drupal 11.0, update to <a href=\"https://www.drupal.org/project/drupal/releases/11.0.8\" rel=\"nofollow\">Drupal 11.0.8.</a></li>\n<li>Drupal 7 is not affected.</li>\n</ul>\n<p>All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (<a href=\"https://www.drupal.org/psa-2021-06-29\" rel=\"nofollow\">Drupal 8</a> and <a href=\"https://www.drupal.org/psa-2023-11-01\" rel=\"nofollow\">Drupal 9</a> have both reached end-of-life.)</p></div></div></div><div class=\"field field-name-field-sa-reported-by field-type-text-long field-label-above\"><div class=\"field-label\">Reported By: </div><div class=\"field-items\"><div class=\"field-item even\"><ul>\n<li><a href=\"https://www.drupal.org/user/255969\" rel=\"nofollow\">Drew Webber</a> of the Drupal Security Team</li>\n</ul></div></div></div><div class=\"field field-name-field-sa-fixed-by field-type-text-long field-label-above\"><div class=\"field-label\">Fixed By: </div><div class=\"field-items\"><div class=\"field-item even\"><ul>\n<li><a href=\"https://www.drupal.org/user/255969\" rel=\"nofollow\">Drew Webber</a> of the Drupal Security Team</li>\n<li><a href=\"https://www.drupal.org/user/395439\" rel=\"nofollow\">Lee Rowlands</a> of the Drupal Security Team</li>\n</ul></div></div></div><div class=\"field field-name-field-sa-coordinated-by field-type-text-long field-label-above\"><div class=\"field-label\">Coordinated By: </div><div class=\"field-items\"><div class=\"field-item even\"><ul>\n<li><a href=\"https://www.drupal.org/user/272316\" rel=\"nofollow\">Juraj Nemec</a> of the Drupal Security Team</li>\n<li><a href=\"https://www.drupal.org/user/36762\" rel=\"nofollow\">Greg Knaddison</a> of the Drupal Security Team</li>\n<li><a href=\"https://www.drupal.org/user/683300\" rel=\"nofollow\">Benji Fisher</a> of the Drupal Security Team</li>\n<li><a href=\"https://www.drupal.org/u/xjm\" rel=\"nofollow\">xjm</a> of the Drupal Security Team</li>\n</ul></div></div></div>",
|
|
"published_at": "Wed, 20 Nov 2024 17:27:28 +0000",
|
|
"updated_at": "Wed, 20 Nov 2024 17:27:28 +0000",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"source_confidence": "official",
|
|
"official_source_url": "https://www.drupal.org/sa-core-2024-007",
|
|
"secondary_source_urls": [],
|
|
"aliases": [],
|
|
"cve_ids": [],
|
|
"ghsa_ids": [],
|
|
"osv_ids": [],
|
|
"affected_versions": [],
|
|
"fixed_versions": [],
|
|
"package_name": null,
|
|
"render_markdown": false,
|
|
"case_path": null,
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"xss-output-encoding",
|
|
"file-upload-validation",
|
|
"plugin-extension-trust-policy"
|
|
],
|
|
"status": "triage",
|
|
"triage_reasons": [
|
|
"missing affected/fixed version details"
|
|
],
|
|
"entity_refs": [
|
|
{
|
|
"entity_id": "drupal",
|
|
"entity_type": "system",
|
|
"relation": "root-system",
|
|
"root_system_id": "drupal",
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_components": [
|
|
{
|
|
"name": "Drupal",
|
|
"entity_id": "drupal",
|
|
"scope": "core",
|
|
"package_name": null,
|
|
"official": true
|
|
}
|
|
],
|
|
"affected_version_ranges": [],
|
|
"fixed_version_ranges": [],
|
|
"introduced_version": null,
|
|
"patched_version": null,
|
|
"version_evidence_sources": [
|
|
"https://www.drupal.org/sa-core-2024-007"
|
|
],
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
|
|
"version_resolution_needed": true,
|
|
"workflow": {
|
|
"workflow_id": "drupal--dffda84bb1--workflow",
|
|
"vuln_family": "xss",
|
|
"entry_surface": "web-ui-render-path",
|
|
"preconditions": [
|
|
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
|
|
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
|
|
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
|
|
],
|
|
"required_role": "editor-or-admin",
|
|
"affected_version_assertion": [
|
|
"\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
|
|
],
|
|
"trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
|
|
"request_or_ui_path": [
|
|
"/admin/editor",
|
|
"/preview",
|
|
"/rendered-content"
|
|
],
|
|
"input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
|
|
"expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
|
|
"server_evidence_points": [
|
|
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
|
|
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
|
|
],
|
|
"browser_evidence_points": [
|
|
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
|
|
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
|
|
],
|
|
"db_or_fs_evidence_points": [
|
|
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
|
|
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
|
|
],
|
|
"detection_signals": [
|
|
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
|
|
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
|
|
],
|
|
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
|
|
"patch_validation_steps": [
|
|
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
|
|
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
|
|
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
|
|
"\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
|
|
],
|
|
"lab_safety_notes": [
|
|
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
|
|
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
|
|
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
|
|
],
|
|
"review_state": "needs-version-gap-review"
|
|
},
|
|
"verification_status": "triage-manual",
|
|
"verification_mode": "synthetic",
|
|
"last_verified_at": null,
|
|
"last_run_id": null,
|
|
"evidence_bundle": null,
|
|
"historical_status": null,
|
|
"latest_status": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
},
|
|
"repro_profile_id": "xss-generic",
|
|
"artifact_mode": "official-image",
|
|
"blocked_reason": null,
|
|
"metadata": {
|
|
"source_names": [
|
|
"Drupal Security Advisories RSS"
|
|
],
|
|
"source_kinds": [
|
|
"rss-feed"
|
|
],
|
|
"candidate_count": 1,
|
|
"entity_ref_count": 1,
|
|
"advisory_scope": "core",
|
|
"version_confidence": "low",
|
|
"workflow_id": "drupal--dffda84bb1--workflow"
|
|
}
|
|
}
|