CVE-2017-6381

HIGH

Drupal < 8.2.2 - Remote Code Execution via Third-Party Development Library

Title source: llm
STIX 2.1

Description

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038058
Mitigation, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-2017-001
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96919

Scores

CVSS v3 8.1
EPSS 0.0390
EPSS Percentile 88.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-829
Status published
Products (15)
drupal/core 8.0 - 8.2.7Packagist
drupal/drupal 8.0.0 (33 CPE variants)
drupal/drupal 8.0.1
drupal/drupal 8.0.2
drupal/drupal 8.0.3
drupal/drupal 8.0.4
drupal/drupal 8.0.5
drupal/drupal 8.0.6
drupal/drupal 8.1.0 (4 CPE variants)
drupal/drupal 8.1.1
... and 5 more
Published Mar 16, 2017
Tracked Since Feb 18, 2026