CVE-2018-7600

critical

Description

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

References

http://www.securityfocus.com/bid/103534

http://www.securitytracker.com/id/1040598

https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/

https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714

https://github.com/a2u/CVE-2018-7600

https://github.com/g0rx/CVE-2018-7600-Drupal-RCE

https://greysec.net/showthread.php?tid=2912&pid=10561

https://groups.drupal.org/security/faq-2018-002

https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html

https://research.checkpoint.com/uncovering-drupalgeddon-2/

https://twitter.com/arancaytar/status/979090719003627521

https://twitter.com/RicterZ/status/979567469726613504

https://twitter.com/RicterZ/status/984495201354854401

https://www.debian.org/security/2018/dsa-4156

https://www.drupal.org/sa-core-2018-002

https://www.exploit-db.com/exploits/44448/

https://www.exploit-db.com/exploits/44449/

https://www.exploit-db.com/exploits/44482/

https://www.synology.com/support/security/Synology_SA_18_17

https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know

Details

Source: MITRE

Published: 2018-03-29

Updated: 2019-03-01

Type: CWE-20

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL