CVE-2017-6381

8.1HIGH

Key Information

Vendor
Drupal
Status
Drupal Core
Vendor
CVE Published:
16 March 2017

Summary

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the /vendor/phpunit directory from your production deployments

Affected Version(s)

Drupal Core = 8.2.x versions before 8.2.7

Refferences

http://www.securitytracker.com/id/1038058
vdb-entryx_refsource_SECTRACK
https://www.drupal.org/SA-2017-001
x_refsource_CONFIRM
http://www.securityfocus.com/bid/96919
vdb-entryx_refsource_BID

EPSS Score

2% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.