CVE-2017-6920

CWE-19CWE-94Code Injection4 documents4 sources
Severity
9.8CRITICAL
EPSS
66.1%
top 1.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal DrupalDrupal CoreDrupal.org Drupal Core
Timeline
PublishedAug 6
Latest updateMay 14

Description

Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

Packagistdrupal/core8.08.3.4
CVEListV5drupal.org/drupal_core8 prior to 8.3.4
NVDdrupal/drupal8.0.08.3.4
Packagistdrupal/drupal8.08.3.4

Patches

Patch: www.drupal.orgPatch: www.drupal.org

🔴Vulnerability Details

3
OSV
Drupal PECL YAML parser unsafe object handling2022-05-14
GHSA
Drupal PECL YAML parser unsafe object handling2022-05-14
CVEList
CVE-2017-6920: Drupal core 8 before versions 82018-08-06
CVE-2017-6920 (CRITICAL CVSS 9.8) | Drupal core 8 before versions 8.3.4 | cvebase.io