CVE-2017-6381

HIGH

Drupal < 8.2.7 - Remote Code Execution

Title source: rule

Description

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments

References (3)

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038058

[Mitigation, Vendor Advisory] https://www.drupal.org/SA-2017-001

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/96919

Scores

CVSS v3 8.1

EPSS 0.0331

EPSS Percentile 87.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-829

Status published

Products (15)

drupal/core 8.0 - 8.2.7Packagist

drupal/drupal 8.0.0 (33 CPE variants)

drupal/drupal 8.0.1

drupal/drupal 8.0.2

drupal/drupal 8.0.3

drupal/drupal 8.0.4

drupal/drupal 8.0.5

drupal/drupal 8.0.6

drupal/drupal 8.1.0 (4 CPE variants)

drupal/drupal 8.1.1

... and 5 more

Published Mar 16, 2017

Tracked Since Feb 18, 2026