⚠️ CISA Known Exploited Vulnerability
Active ThreatThis vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Active exploitation has been observed in the wild. This poses significant risk to federal enterprises and should be prioritized for immediate patching.
CVE-2018-7602
Critical CISA KEV
Low
Medium
High
Critical
9.8
CVSS Score
Vulnerability Description
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
H
Integrity
H
Availability
H
Known Affected Software
68 configuration(s) from 2 vendor(s)
debian_linux
Version:
8.0
CPE:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debian_linux
Version:
7.0
CPE:
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
debian_linux
Version:
9.0
CPE:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
drupal
Version:
7.53
CPE:
cpe:2.3:a:drupal:drupal:7.53:*:*:*:*:*:*:*
drupal
Version:
8.4.5
CPE:
cpe:2.3:a:drupal:drupal:8.4.5:*:*:*:*:*:*:*
drupal
Version:
7.38
CPE:
cpe:2.3:a:drupal:drupal:7.38:*:*:*:*:*:*:*
drupal
Version:
7.26
CPE:
cpe:2.3:a:drupal:drupal:7.26:*:*:*:*:*:*:*
drupal
Version:
8.4.2
CPE:
cpe:2.3:a:drupal:drupal:8.4.2:*:*:*:*:*:*:*
drupal
Version:
8.5.0
CPE:
cpe:2.3:a:drupal:drupal:8.5.0:-:*:*:*:*:*:*
drupal
Version:
7.9
CPE:
cpe:2.3:a:drupal:drupal:7.9:*:*:*:*:*:*:*
drupal
Version:
7.5
CPE:
cpe:2.3:a:drupal:drupal:7.5:*:*:*:*:*:*:*
drupal
Version:
7.3
CPE:
cpe:2.3:a:drupal:drupal:7.3:*:*:*:*:*:*:*
drupal
Version:
7.32
CPE:
cpe:2.3:a:drupal:drupal:7.32:*:*:*:*:*:*:*
drupal
Version:
7.24
CPE:
cpe:2.3:a:drupal:drupal:7.24:*:*:*:*:*:*:*
drupal
Version:
7.41
CPE:
cpe:2.3:a:drupal:drupal:7.41:*:*:*:*:*:*:*
drupal
Version:
7.42
CPE:
cpe:2.3:a:drupal:drupal:7.42:*:*:*:*:*:*:*
drupal
Version:
7.4
CPE:
cpe:2.3:a:drupal:drupal:7.4:*:*:*:*:*:*:*
drupal
Version:
8.4.3
CPE:
cpe:2.3:a:drupal:drupal:8.4.3:*:*:*:*:*:*:*
drupal
Version:
7.11
CPE:
cpe:2.3:a:drupal:drupal:7.11:*:*:*:*:*:*:*
drupal
Version:
7.0
CPE:
cpe:2.3:a:drupal:drupal:7.0:beta1:*:*:*:*:*:*
drupal
Version:
7.21
CPE:
cpe:2.3:a:drupal:drupal:7.21:*:*:*:*:*:*:*
drupal
Version:
7.27
CPE:
cpe:2.3:a:drupal:drupal:7.27:*:*:*:*:*:*:*
drupal
Version:
7.58
CPE:
cpe:2.3:a:drupal:drupal:7.58:*:*:*:*:*:*:*
drupal
Version:
7.50
CPE:
cpe:2.3:a:drupal:drupal:7.50:*:*:*:*:*:*:*
drupal
Version:
7.44
CPE:
cpe:2.3:a:drupal:drupal:7.44:*:*:*:*:*:*:*
drupal
Version:
7.51
CPE:
cpe:2.3:a:drupal:drupal:7.51:*:*:*:*:*:*:*
drupal
Version:
7.23
CPE:
cpe:2.3:a:drupal:drupal:7.23:*:*:*:*:*:*:*
drupal
Version:
7.35
CPE:
cpe:2.3:a:drupal:drupal:7.35:*:*:*:*:*:*:*
drupal
Version:
7.57
CPE:
cpe:2.3:a:drupal:drupal:7.57:*:*:*:*:*:*:*
drupal
Version:
8.4.1
CPE:
cpe:2.3:a:drupal:drupal:8.4.1:*:*:*:*:*:*:*
drupal
Version:
7.56
CPE:
cpe:2.3:a:drupal:drupal:7.56:*:*:*:*:*:*:*
drupal
Version:
7.8
CPE:
cpe:2.3:a:drupal:drupal:7.8:*:*:*:*:*:*:*
drupal
Version:
7.43
CPE:
cpe:2.3:a:drupal:drupal:7.43:*:*:*:*:*:*:*
drupal
Version:
7.7
CPE:
cpe:2.3:a:drupal:drupal:7.7:*:*:*:*:*:*:*
drupal
Version:
7.36
CPE:
cpe:2.3:a:drupal:drupal:7.36:*:*:*:*:*:*:*
drupal
Version:
7.10
CPE:
cpe:2.3:a:drupal:drupal:7.10:*:*:*:*:*:*:*
drupal
Version:
7.33
CPE:
cpe:2.3:a:drupal:drupal:7.33:*:*:*:*:*:*:*
drupal
Version:
7.52
CPE:
cpe:2.3:a:drupal:drupal:7.52:*:*:*:*:*:*:*
drupal
Version:
8.4.6
CPE:
cpe:2.3:a:drupal:drupal:8.4.6:*:*:*:*:*:*:*
drupal
Version:
7.2
CPE:
cpe:2.3:a:drupal:drupal:7.2:*:*:*:*:*:*:*
drupal
Version:
7.39
CPE:
cpe:2.3:a:drupal:drupal:7.39:*:*:*:*:*:*:*
drupal
Version:
7.29
CPE:
cpe:2.3:a:drupal:drupal:7.29:*:*:*:*:*:*:*
drupal
Version:
7.54
CPE:
cpe:2.3:a:drupal:drupal:7.54:*:*:*:*:*:*:*
drupal
Version:
7.15
CPE:
cpe:2.3:a:drupal:drupal:7.15:*:*:*:*:*:*:*
drupal
Version:
8.4.7
CPE:
cpe:2.3:a:drupal:drupal:8.4.7:*:*:*:*:*:*:*
drupal
Version:
7.22
CPE:
cpe:2.3:a:drupal:drupal:7.22:*:*:*:*:*:*:*
drupal
Version:
8.5.2
CPE:
cpe:2.3:a:drupal:drupal:8.5.2:*:*:*:*:*:*:*
drupal
Version:
7.25
CPE:
cpe:2.3:a:drupal:drupal:7.25:*:*:*:*:*:*:*
drupal
Version:
7.34
CPE:
cpe:2.3:a:drupal:drupal:7.34:*:*:*:*:*:*:*
drupal
Version:
7.28
CPE:
cpe:2.3:a:drupal:drupal:7.28:*:*:*:*:*:*:*
drupal
Version:
7.16
CPE:
cpe:2.3:a:drupal:drupal:7.16:*:*:*:*:*:*:*
drupal
Version:
7.1
CPE:
cpe:2.3:a:drupal:drupal:7.1:*:*:*:*:*:*:*
drupal
Version:
7.30
CPE:
cpe:2.3:a:drupal:drupal:7.30:*:*:*:*:*:*:*
drupal
Version:
7.13
CPE:
cpe:2.3:a:drupal:drupal:7.13:*:*:*:*:*:*:*
drupal
Version:
7.14
CPE:
cpe:2.3:a:drupal:drupal:7.14:*:*:*:*:*:*:*
drupal
Version:
7.31
CPE:
cpe:2.3:a:drupal:drupal:7.31:*:*:*:*:*:*:*
drupal
Version:
7.37
CPE:
cpe:2.3:a:drupal:drupal:7.37:*:*:*:*:*:*:*
drupal
Version:
7.17
CPE:
cpe:2.3:a:drupal:drupal:7.17:*:*:*:*:*:*:*
drupal
Version:
7.19
CPE:
cpe:2.3:a:drupal:drupal:7.19:*:*:*:*:*:*:*
drupal
Version:
7.12
CPE:
cpe:2.3:a:drupal:drupal:7.12:*:*:*:*:*:*:*
drupal
Version:
7.55
CPE:
cpe:2.3:a:drupal:drupal:7.55:*:*:*:*:*:*:*
drupal
Version:
7.20
CPE:
cpe:2.3:a:drupal:drupal:7.20:*:*:*:*:*:*:*
drupal
Version:
7.18
CPE:
cpe:2.3:a:drupal:drupal:7.18:*:*:*:*:*:*:*
drupal
Version:
8.5.1
CPE:
cpe:2.3:a:drupal:drupal:8.5.1:*:*:*:*:*:*:*
drupal
Version:
8.4.4
CPE:
cpe:2.3:a:drupal:drupal:8.4.4:*:*:*:*:*:*:*
drupal
Version:
7.40
CPE:
cpe:2.3:a:drupal:drupal:7.40:*:*:*:*:*:*:*
drupal
Version:
8.4.0
CPE:
cpe:2.3:a:drupal:drupal:8.4.0:-:*:*:*:*:*:*
drupal
Version:
7.6
CPE:
cpe:2.3:a:drupal:drupal:7.6:*:*:*:*:*:*:*
This vulnerability affects 68 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://www.securityfocus.com/bid/103985mlhess@drupal.org Broken Link Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1040754mlhess@drupal.org Broken Link Third Party Advisory VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/04/msg00030.htmlmlhess@drupal.org Mailing List Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4180mlhess@drupal.org Third Party Advisory
-
https://www.drupal.org/sa-core-2018-004mlhess@drupal.org Patch Vendor Advisory
-
https://www.exploit-db.com/exploits/44542/mlhess@drupal.org Exploit Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/44557/mlhess@drupal.org Exploit Third Party Advisory VDB Entry
-
http://www.securityfocus.com/bid/103985af854a3a-2127-422b-91ae-364da2661108 Broken Link Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1040754af854a3a-2127-422b-91ae-364da2661108 Broken Link Third Party Advisory VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/04/msg00030.htmlaf854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4180af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://www.drupal.org/sa-core-2018-004af854a3a-2127-422b-91ae-364da2661108 Patch Vendor Advisory
-
https://www.exploit-db.com/exploits/44542/af854a3a-2127-422b-91ae-364da2661108 Exploit Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/44557/af854a3a-2127-422b-91ae-364da2661108 Exploit Third Party Advisory VDB Entry
-
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7602134c704f-9b21-4f2e-91b3-4a467353bcc0 US Government Resource
Severity Details
9.8
out of 10.0
Critical
CISA KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalog
Key Information
- Published Date
- July 19, 2018
