CVE-2017-6381Inclusion of Functionality from Untrusted Control Sphere in Drupal Core

CWE-829Inclusion of Functionality from Untrusted Control Sphere5 documents4 sources
Severity
8.1HIGHNVD
EPSS
3.3%
top 12.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal CoreDrupalDrupal Core
Timeline
PublishedMar 16
Latest updateMay 13

Description

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the /vendor/phpunit directory from your production deployments

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

Packagistdrupal/core8.08.2.7
Packagistdrupal/drupal8.08.2.7
NVDdrupal/drupal20 versions+19
CVEListV5drupal/drupal_core8.2.x versions before 8.2.7

🔴Vulnerability Details

4
OSV
Drupal Remote code execution2022-05-13
GHSA
Drupal Remote code execution2022-05-13
CVEList
CVE-2017-6381: A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution2017-03-16
OSV
CVE-2017-6381: A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution2017-03-16
CVE-2017-6381 — Drupal Core vulnerability | cvebase