CVE-2024-55634: Drupal core Access bypass

December 10, 2024

Drupal’s uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

References

github.com/advisories/GHSA-7cwc-fjqm-8vh8
github.com/drupal/core
github.com/drupal/core/commit/7ae0e8f1824e15f8b2b06e4da09836250e85e934
nvd.nist.gov/vuln/detail/CVE-2024-55634
www.drupal.org/sa-core-2024-004

Detect and mitigate CVE-2024-55634 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →