DRUPAL-CORE-2018-002

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2018-002.json

JSON Data

https://api.test.osv.dev/v1/vulns/DRUPAL-CORE-2018-002

Aliases

Published

2018-03-28T18:14:10Z

Modified

2025-12-02T23:09:07.598962Z

Summary

[none]

Details

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Edited 2020, February 13 to fix links to patch files.

References

https://www.drupal.org/sa-core-2018-002

Credits

- Jasper Mattsson
- - https://www.drupal.org/u/Jasu_M

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type

ECOSYSTEM

Events

Introduced

8.0.0

Fixed

8.3.9

Database specific

{
    "constraint": ">= 8.0.0 <8.3.9"
}

Type

ECOSYSTEM

Events

Introduced

8.4.0

Fixed

8.4.6

Database specific

{
    "constraint": ">=8.4.0 <8.4.6"
}

Type

ECOSYSTEM

Events

Introduced

8.5.0

Fixed

8.5.1

Database specific

{
    "constraint": ">=8.5.0 <8.5.1"
}

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0

Database specific

affected_versions

">=7.0 <7.58 || >= 8.0.0 <8.3.9 || >=8.4.0 <8.4.6 || >=8.5.0 <8.5.1"