Vulnerability Details CVE-2018-7600
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.945
EPSS Ranking 100.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
Proposed Action
Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise.
Ransomware Campaign
Known
References
- http://www.securityfocus.com/bid/103534
- http://www.securitytracker.com/id/1040598
- https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/
- https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714
- https://github.com/a2u/CVE-2018-7600
- https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
- https://greysec.net/showthread.php?tid=2912&pid=10561
- https://groups.drupal.org/security/faq-2018-002
- https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html
- https://research.checkpoint.com/uncovering-drupalgeddon-2/
- https://twitter.com/RicterZ/status/979567469726613504
- https://twitter.com/RicterZ/status/984495201354854401
- https://twitter.com/arancaytar/status/979090719003627521
- https://www.debian.org/security/2018/dsa-4156
- https://www.drupal.org/sa-core-2018-002
- https://www.exploit-db.com/exploits/44448/
- https://www.exploit-db.com/exploits/44449/
- https://www.exploit-db.com/exploits/44482/
- https://www.synology.com/support/security/Synology_SA_18_17
- https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know
- http://www.securityfocus.com/bid/103534
- http://www.securitytracker.com/id/1040598
- https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/
- https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714
- https://github.com/a2u/CVE-2018-7600
- https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
- https://greysec.net/showthread.php?tid=2912&pid=10561
- https://groups.drupal.org/security/faq-2018-002
- https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html
- https://research.checkpoint.com/uncovering-drupalgeddon-2/
- https://twitter.com/RicterZ/status/979567469726613504
- https://twitter.com/RicterZ/status/984495201354854401
- https://twitter.com/arancaytar/status/979090719003627521
- https://www.debian.org/security/2018/dsa-4156
- https://www.drupal.org/sa-core-2018-002
- https://www.exploit-db.com/exploits/44448/
- https://www.exploit-db.com/exploits/44449/
- https://www.exploit-db.com/exploits/44482/
- https://www.synology.com/support/security/Synology_SA_18_17
- https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know
Products affected by CVE-2018-7600
-
cpe:2.3:a:drupal:drupal:-
-
cpe:2.3:a:drupal:drupal:4.0.0
-
cpe:2.3:a:drupal:drupal:4.1.0
-
cpe:2.3:a:drupal:drupal:4.2.0
-
cpe:2.3:a:drupal:drupal:4.3.0
-
cpe:2.3:a:drupal:drupal:4.3.1
-
cpe:2.3:a:drupal:drupal:4.3.2
-
cpe:2.3:a:drupal:drupal:4.4.0
-
cpe:2.3:a:drupal:drupal:4.4.1
-
cpe:2.3:a:drupal:drupal:4.4.2
-
cpe:2.3:a:drupal:drupal:4.4.3
-
cpe:2.3:a:drupal:drupal:4.5.0
-
cpe:2.3:a:drupal:drupal:4.5.1
-
cpe:2.3:a:drupal:drupal:4.5.2
-
cpe:2.3:a:drupal:drupal:4.5.3
-
cpe:2.3:a:drupal:drupal:4.5.4
-
cpe:2.3:a:drupal:drupal:4.5.5
-
cpe:2.3:a:drupal:drupal:4.5.6
-
cpe:2.3:a:drupal:drupal:4.5.7
-
cpe:2.3:a:drupal:drupal:4.5.8
-
cpe:2.3:a:drupal:drupal:4.6.0
-
cpe:2.3:a:drupal:drupal:4.6.1
-
cpe:2.3:a:drupal:drupal:4.6.10
-
cpe:2.3:a:drupal:drupal:4.6.11
-
cpe:2.3:a:drupal:drupal:4.6.2
-
cpe:2.3:a:drupal:drupal:4.6.3
-
cpe:2.3:a:drupal:drupal:4.6.4
-
cpe:2.3:a:drupal:drupal:4.6.5
-
cpe:2.3:a:drupal:drupal:4.6.6
-
cpe:2.3:a:drupal:drupal:4.6.7
-
cpe:2.3:a:drupal:drupal:4.6.8
-
cpe:2.3:a:drupal:drupal:4.6.9
-
cpe:2.3:a:drupal:drupal:4.7.0
-
cpe:2.3:a:drupal:drupal:4.7.1
-
cpe:2.3:a:drupal:drupal:4.7.10
-
cpe:2.3:a:drupal:drupal:4.7.11
-
cpe:2.3:a:drupal:drupal:4.7.2
-
cpe:2.3:a:drupal:drupal:4.7.3
-
cpe:2.3:a:drupal:drupal:4.7.4
-
cpe:2.3:a:drupal:drupal:4.7.5
-
cpe:2.3:a:drupal:drupal:4.7.6
-
cpe:2.3:a:drupal:drupal:4.7.7
-
cpe:2.3:a:drupal:drupal:4.7.8
-
cpe:2.3:a:drupal:drupal:4.7.9
-
cpe:2.3:a:drupal:drupal:5.0
-
cpe:2.3:a:drupal:drupal:5.1
-
cpe:2.3:a:drupal:drupal:5.10
-
cpe:2.3:a:drupal:drupal:5.11
-
cpe:2.3:a:drupal:drupal:5.12
-
cpe:2.3:a:drupal:drupal:5.13
-
cpe:2.3:a:drupal:drupal:5.14
-
cpe:2.3:a:drupal:drupal:5.15
-
cpe:2.3:a:drupal:drupal:5.16
-
cpe:2.3:a:drupal:drupal:5.17
-
cpe:2.3:a:drupal:drupal:5.18
-
cpe:2.3:a:drupal:drupal:5.19
-
cpe:2.3:a:drupal:drupal:5.2
-
cpe:2.3:a:drupal:drupal:5.20
-
cpe:2.3:a:drupal:drupal:5.21
-
cpe:2.3:a:drupal:drupal:5.22
-
cpe:2.3:a:drupal:drupal:5.23
-
cpe:2.3:a:drupal:drupal:5.3
-
cpe:2.3:a:drupal:drupal:5.4
-
cpe:2.3:a:drupal:drupal:5.5
-
cpe:2.3:a:drupal:drupal:5.6
-
cpe:2.3:a:drupal:drupal:5.7
-
cpe:2.3:a:drupal:drupal:5.8
-
cpe:2.3:a:drupal:drupal:5.9
-
cpe:2.3:a:drupal:drupal:6.0
-
cpe:2.3:a:drupal:drupal:6.1
-
cpe:2.3:a:drupal:drupal:6.10
-
cpe:2.3:a:drupal:drupal:6.11
-
cpe:2.3:a:drupal:drupal:6.12
-
cpe:2.3:a:drupal:drupal:6.13
-
cpe:2.3:a:drupal:drupal:6.14
-
cpe:2.3:a:drupal:drupal:6.15
-
cpe:2.3:a:drupal:drupal:6.16
-
cpe:2.3:a:drupal:drupal:6.17
-
cpe:2.3:a:drupal:drupal:6.18
-
cpe:2.3:a:drupal:drupal:6.19
-
cpe:2.3:a:drupal:drupal:6.2
-
cpe:2.3:a:drupal:drupal:6.20
-
cpe:2.3:a:drupal:drupal:6.21
-
cpe:2.3:a:drupal:drupal:6.22
-
cpe:2.3:a:drupal:drupal:6.23
-
cpe:2.3:a:drupal:drupal:6.24
-
cpe:2.3:a:drupal:drupal:6.25
-
cpe:2.3:a:drupal:drupal:6.26
-
cpe:2.3:a:drupal:drupal:6.27
-
cpe:2.3:a:drupal:drupal:6.28
-
cpe:2.3:a:drupal:drupal:6.29
-
cpe:2.3:a:drupal:drupal:6.3
-
cpe:2.3:a:drupal:drupal:6.30
-
cpe:2.3:a:drupal:drupal:6.31
-
cpe:2.3:a:drupal:drupal:6.32
-
cpe:2.3:a:drupal:drupal:6.33
-
cpe:2.3:a:drupal:drupal:6.34
-
cpe:2.3:a:drupal:drupal:6.35
-
cpe:2.3:a:drupal:drupal:6.36
-
cpe:2.3:a:drupal:drupal:6.37
-
cpe:2.3:a:drupal:drupal:6.38
-
cpe:2.3:a:drupal:drupal:6.4
-
cpe:2.3:a:drupal:drupal:6.5
-
cpe:2.3:a:drupal:drupal:6.6
-
cpe:2.3:a:drupal:drupal:6.7
-
cpe:2.3:a:drupal:drupal:6.8
-
cpe:2.3:a:drupal:drupal:6.9
-
cpe:2.3:a:drupal:drupal:7.0
-
cpe:2.3:a:drupal:drupal:7.1
-
cpe:2.3:a:drupal:drupal:7.10
-
cpe:2.3:a:drupal:drupal:7.11
-
cpe:2.3:a:drupal:drupal:7.12
-
cpe:2.3:a:drupal:drupal:7.13
-
cpe:2.3:a:drupal:drupal:7.14
-
cpe:2.3:a:drupal:drupal:7.15
-
cpe:2.3:a:drupal:drupal:7.16
-
cpe:2.3:a:drupal:drupal:7.17
-
cpe:2.3:a:drupal:drupal:7.18
-
cpe:2.3:a:drupal:drupal:7.19
-
cpe:2.3:a:drupal:drupal:7.2
-
cpe:2.3:a:drupal:drupal:7.20
-
cpe:2.3:a:drupal:drupal:7.21
-
cpe:2.3:a:drupal:drupal:7.22
-
cpe:2.3:a:drupal:drupal:7.23
-
cpe:2.3:a:drupal:drupal:7.24
-
cpe:2.3:a:drupal:drupal:7.25
-
cpe:2.3:a:drupal:drupal:7.26
-
cpe:2.3:a:drupal:drupal:7.27
-
cpe:2.3:a:drupal:drupal:7.28
-
cpe:2.3:a:drupal:drupal:7.29
-
cpe:2.3:a:drupal:drupal:7.3
-
cpe:2.3:a:drupal:drupal:7.30
-
cpe:2.3:a:drupal:drupal:7.31
-
cpe:2.3:a:drupal:drupal:7.32
-
cpe:2.3:a:drupal:drupal:7.33
-
cpe:2.3:a:drupal:drupal:7.34
-
cpe:2.3:a:drupal:drupal:7.35
-
cpe:2.3:a:drupal:drupal:7.36
-
cpe:2.3:a:drupal:drupal:7.37
-
cpe:2.3:a:drupal:drupal:7.38
-
cpe:2.3:a:drupal:drupal:7.39
-
cpe:2.3:a:drupal:drupal:7.4
-
cpe:2.3:a:drupal:drupal:7.40
-
cpe:2.3:a:drupal:drupal:7.41
-
cpe:2.3:a:drupal:drupal:7.42
-
cpe:2.3:a:drupal:drupal:7.43
-
cpe:2.3:a:drupal:drupal:7.44
-
cpe:2.3:a:drupal:drupal:7.5
-
cpe:2.3:a:drupal:drupal:7.50
-
cpe:2.3:a:drupal:drupal:7.51
-
cpe:2.3:a:drupal:drupal:7.52
-
cpe:2.3:a:drupal:drupal:7.53
-
cpe:2.3:a:drupal:drupal:7.54
-
cpe:2.3:a:drupal:drupal:7.55
-
cpe:2.3:a:drupal:drupal:7.56
-
cpe:2.3:a:drupal:drupal:7.57
-
cpe:2.3:a:drupal:drupal:7.6
-
cpe:2.3:a:drupal:drupal:7.7
-
cpe:2.3:a:drupal:drupal:7.8
-
cpe:2.3:a:drupal:drupal:7.9
-
cpe:2.3:a:drupal:drupal:8.0.0
-
cpe:2.3:a:drupal:drupal:8.0.1
-
cpe:2.3:a:drupal:drupal:8.0.2
-
cpe:2.3:a:drupal:drupal:8.0.3
-
cpe:2.3:a:drupal:drupal:8.0.4
-
cpe:2.3:a:drupal:drupal:8.0.5
-
cpe:2.3:a:drupal:drupal:8.0.6
-
cpe:2.3:a:drupal:drupal:8.1.0
-
cpe:2.3:a:drupal:drupal:8.1.1
-
cpe:2.3:a:drupal:drupal:8.1.10
-
cpe:2.3:a:drupal:drupal:8.1.2
-
cpe:2.3:a:drupal:drupal:8.1.3
-
cpe:2.3:a:drupal:drupal:8.1.4
-
cpe:2.3:a:drupal:drupal:8.1.5
-
cpe:2.3:a:drupal:drupal:8.1.6
-
cpe:2.3:a:drupal:drupal:8.1.7
-
cpe:2.3:a:drupal:drupal:8.1.8
-
cpe:2.3:a:drupal:drupal:8.1.9
-
cpe:2.3:a:drupal:drupal:8.2.0
-
cpe:2.3:a:drupal:drupal:8.2.1
-
cpe:2.3:a:drupal:drupal:8.2.2
-
cpe:2.3:a:drupal:drupal:8.2.3
-
cpe:2.3:a:drupal:drupal:8.2.4
-
cpe:2.3:a:drupal:drupal:8.2.5
-
cpe:2.3:a:drupal:drupal:8.2.6
-
cpe:2.3:a:drupal:drupal:8.2.7
-
cpe:2.3:a:drupal:drupal:8.2.8
-
cpe:2.3:a:drupal:drupal:8.3.0
-
cpe:2.3:a:drupal:drupal:8.3.1
-
cpe:2.3:a:drupal:drupal:8.3.2
-
cpe:2.3:a:drupal:drupal:8.3.3
-
cpe:2.3:a:drupal:drupal:8.3.4
-
cpe:2.3:a:drupal:drupal:8.3.5
-
cpe:2.3:a:drupal:drupal:8.3.6
-
cpe:2.3:a:drupal:drupal:8.3.7
-
cpe:2.3:a:drupal:drupal:8.3.8
-
cpe:2.3:a:drupal:drupal:8.4.0
-
cpe:2.3:a:drupal:drupal:8.4.1
-
cpe:2.3:a:drupal:drupal:8.4.2
-
cpe:2.3:a:drupal:drupal:8.4.3
-
cpe:2.3:a:drupal:drupal:8.4.4
-
cpe:2.3:a:drupal:drupal:8.4.5
-
cpe:2.3:a:drupal:drupal:8.5.0
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0