CVE-2018-7602

Scores

EPSS Score

0.9444

CVSS

3.x 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

All CVSS Scores

CVSS 4.0

0.0

CVSS 3.x

9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Description

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Sources

debiannvdubuntu

Exploits

Exploit ID: 44542

Source: exploitdb

URL: https://www.exploit-db.com/exploits/44542

Exploit ID: 44557

Source: exploitdb

URL: https://www.exploit-db.com/exploits/44557

Exploit ID: CVE-2018-7602

Source: github-poc

URL: https://github.com/132231g/CVE-2018-7602

Reference Links

http://www.securityfocus.com/bid/103985

http://www.securitytracker.com/id/1040754

https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html

https://www.debian.org/security/2018/dsa-4180

https://www.drupal.org/sa-core-2018-004

https://www.exploit-db.com/exploits/44542/

https://www.exploit-db.com/exploits/44557/

http://www.securityfocus.com/bid/103985

http://www.securitytracker.com/id/1040754

https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html

https://www.debian.org/security/2018/dsa-4180

https://www.drupal.org/sa-core-2018-004

https://www.exploit-db.com/exploits/44542/

https://www.exploit-db.com/exploits/44557/

https://www.drupal.org/psa-2018-003

https://www.cve.org/CVERecord?id=CVE-2018-7602

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Vulnerable Software

Type: Configuration

Product: drupal7

Operating System: ubuntu artful 17.10

Trait:

{
  "unfixed": true
}

Source: ubuntu

Type: Configuration

Product: drupal7

Operating System: ubuntu trusty 14.04

Trait:

{
  "unfixed": true
}

Source: ubuntu

Type: Configuration

Product: drupal7

Operating System: ubuntu xenial 16.04

Trait:

{
  "unfixed": true
}

Source: ubuntu

Type: Configuration

Product: drupal7

Operating System: debian

Trait:

{
  "unfixed": true
}

Source: debian

Type: Configuration

Vendor: debian

Product: debian_linux

Operating System: * * *

Trait:

{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
      "vulnerable": true
    }
  ],
  "operator": "OR"
}

Source: nvd

Type: Configuration

Vendor: drupal

Product: drupal

Operating System: * * *

Trait:

{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "7.59",
      "versionStartIncluding": "7.0",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "8.4.8",
      "versionStartIncluding": "8.4.0",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "8.5.3",
      "versionStartIncluding": "8.5.0",
      "vulnerable": true
    }
  ],
  "operator": "OR"
}

Source: nvd