CVE-2018-7600

Name
CVE-2018-7600
Description
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://www.drupal.org/sa-core-2018-002
Vendor Advisory https://groups.drupal.org/security/faq-2018-002
Third Party Advisory https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html
Third Party Advisory http://www.securitytracker.com/id/1040598
Third Party Advisory http://www.securityfocus.com/bid/103534
Third Party Advisory https://www.synology.com/support/security/Synology_SA_18_17
Third Party Advisory https://www.debian.org/security/2018/dsa-4156
Third Party Advisory https://twitter.com/RicterZ/status/979567469726613504
Third Party Advisory https://github.com/a2u/CVE-2018-7600
Third Party Advisory https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know
Issue Tracking https://greysec.net/showthread.php?tid=2912&pid=10561
Patch https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
Third Party Advisory https://twitter.com/arancaytar/status/979090719003627521
Third Party Advisory https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714
Third Party Advisory https://twitter.com/RicterZ/status/984495201354854401
Exploit https://research.checkpoint.com/uncovering-drupalgeddon-2/
Exploit https://www.exploit-db.com/exploits/44449/
Exploit https://www.exploit-db.com/exploits/44448/
Exploit https://www.exploit-db.com/exploits/44482/
Third Party Advisory https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* drupal >= None <= 7.57
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* drupal >= 8.0.0 < 8.3.9
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* drupal >= 8.4.0 < 8.4.6
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:* drupal >= 8.5.0 < 8.5.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status