Drupal Core Object Injection Vulnerability Allowing Gadget Chain Exploitation

A vulnerability allowing improper control over the modification of dynamically-determined object attributes has been identified in Drupal Core. This issue affects versions 8.0.0 prior to 10.5.9, 10.6.0 prior to 10.6.7, 11.0.0 prior to 11.2.11, and 11.3.0 prior to 11.3.7. The vulnerability allows object injection through a 'gadget chain' that could be exploited if an insecure deserialization vulnerability is present on the site. While this issue does not pose a direct threat, it could lead to remote code execution or SQL injection by exploiting another vulnerability that allows the application to deserialize untrusted data.

Impact

The vulnerability creates a potential vector for remote code execution or SQL injection, but only in conjunction with another vulnerability that allows deserialization of untrusted data.

Remediation

Users can update to the latest version of Drupal to address this vulnerability. Instructions for updating are available on the Drupal project page. Note that Drupal versions 11.1.x, 11.0.x, and 10.4.x and below are end-of-life and do not receive security coverage.