Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, types have been added to properties in some of Drupal core’s classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.
Solution:
Install the latest version:
If you are using Drupal 10.2, update to Drupal 10.2.11.
If you are using Drupal 10.3, update to Drupal 10.3.9.
If you are using Drupal 11.0, update to Drupal 11.0.8.
Drupal 7 is not affected.
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this vulnerability, types have been added to properties in some of Drupal core’s classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.
Solution:
Install the latest version:
If you are using Drupal 10.2, update to Drupal 10.2.11.
If you are using Drupal 10.3, update to Drupal 10.3.9.
If you are using Drupal 11.0, update to Drupal 11.0.8.
Drupal 7 is not affected.
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Drupal’s uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation.
As a result, a user may be able to register with the same email address as another user.
This may lead to data integrity issues.
Solution:
Install the latest version:
If you are using Drupal 10.2, update to Drupal 10.2.11.
If you are using Drupal 10.3, update to Drupal 10.3.9.
If you are using Drupal 11.0, update to Drupal 11.0.8.
Drupal 7 is not affected.
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Updating Drupal will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.
Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.
The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.
Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.
The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.
Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.
The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.
Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.
The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.
Update the rustls crate to version 0.23.17.
Update the zlib-rs crate to version 0.4.0.
The update to zlib-rs v0.4.0 also addresses CVE-2024-11249 (stack overflow during decompression with malicious input). This issue had no actual impact in Fedora, because no applications yet use the the zlib-rs feature of rustls and rustls is the only dependent package of zlib-rs.