Attacker Value
High
(3 users assessed)
Exploitability
Very High
(3 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

Drupalgeddon 2

Disclosure Date: March 29, 2018
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Add Assessment

4
Ratings
Technical Analysis

Due to many public exploits for this flaw this is an incredibly valuable tool for an attacker to have in their arsenal. My favorite variant of this exploit is: https://github.com/g0tmi1k/Drupalgeddon2

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

Many versions were vulnerable, and the vulnerability was in a well-used API. The exploit took some time to develop due to a need for a deep understanding of Drupal internals (see blog post in references).

1
Ratings
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
  • Associated Malware: Kitty
  • Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • debian,
  • drupal

Products

  • debian linux 7.0,
  • debian linux 8.0,
  • debian linux 9.0,
  • drupal

References

Additional Info

Technical Analysis