CVE-2018-7602

{"id": "CVE-2018-7602", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": true, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-07-19T17:29:00.373", "references": [{"url": "http://www.securityfocus.com/bid/103985", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "mlhess@drupal.org"}, {"url": "http://www.securitytracker.com/id/1040754", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "mlhess@drupal.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "mlhess@drupal.org"}, {"url": "https://www.debian.org/security/2018/dsa-4180", "tags": ["Third Party Advisory"], "source": "mlhess@drupal.org"}, {"url": "https://www.drupal.org/sa-core-2018-004", "tags": ["Patch", "Vendor Advisory"], "source": "mlhess@drupal.org"}, {"url": "https://www.exploit-db.com/exploits/44542/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "mlhess@drupal.org"}, {"url": "https://www.exploit-db.com/exploits/44557/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "mlhess@drupal.org"}, {"url": "http://www.securityfocus.com/bid/103985", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securitytracker.com/id/1040754", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2018/dsa-4180", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.drupal.org/sa-core-2018-004", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.exploit-db.com/exploits/44542/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.exploit-db.com/exploits/44557/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en m\u00faltiples subsistemas de Drupal en versiones 7.x y 8.x. Esto podr\u00eda permitir que los atacantes exploten m\u00faltiples vectores de ataque en un sitio de Drupal, lo que podr\u00eda resultar en el compromiso del sitio. Esta vulnerabilidad est\u00e1 relacionada con Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Tanto SA-CORE-2018-002 como esta vulnerabilidad se est\u00e1n explotando \"in the wild\"."}], "lastModified": "2025-03-14T20:50:35.350", "cisaActionDue": "2022-05-04", "cisaExploitAdd": "2022-04-13", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3074C5BC-7B3A-411D-8B83-BE17F984ADF0", "versionEndExcluding": "7.59", "versionStartIncluding": "7.0"}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9FB5897-287C-4442-9A52-05285E9118F6", "versionEndExcluding": "8.4.8", "versionStartIncluding": "8.4.0"}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC25B698-8D90-4E47-962D-D9A2D80049A6", "versionEndExcluding": "8.5.3", "versionStartIncluding": "8.5.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA"}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}], "operator": "OR"}]}], "sourceIdentifier": "mlhess@drupal.org", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Drupal Core Remote Code Execution Vulnerability"}