CVE-2017-6381

EPSS 3.56%
Published 16.03.2017 14:59:00
Last modified 20.04.2025 01:37:25
Source mlhess@drupal.org
Teams watchlist Login
Open Login

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Drupal ≫ Drupal Version8.0.0

Drupal ≫ Drupal Version8.0.0 Updatealpha10

Drupal ≫ Drupal Version8.0.0 Updatealpha11

Drupal ≫ Drupal Version8.0.0 Updatealpha12

Drupal ≫ Drupal Version8.0.0 Updatealpha13

Drupal ≫ Drupal Version8.0.0 Updatealpha14

Drupal ≫ Drupal Version8.0.0 Updatealpha15

Drupal ≫ Drupal Version8.0.0 Updatealpha2

Drupal ≫ Drupal Version8.0.0 Updatealpha3

Drupal ≫ Drupal Version8.0.0 Updatealpha4

Drupal ≫ Drupal Version8.0.0 Updatealpha5

Drupal ≫ Drupal Version8.0.0 Updatealpha6

Drupal ≫ Drupal Version8.0.0 Updatealpha7

Drupal ≫ Drupal Version8.0.0 Updatealpha8

Drupal ≫ Drupal Version8.0.0 Updatealpha9

Drupal ≫ Drupal Version8.0.0 Updatebeta1

Drupal ≫ Drupal Version8.0.0 Updatebeta10

Drupal ≫ Drupal Version8.0.0 Updatebeta11

Drupal ≫ Drupal Version8.0.0 Updatebeta12

Drupal ≫ Drupal Version8.0.0 Updatebeta13

Drupal ≫ Drupal Version8.0.0 Updatebeta14

Drupal ≫ Drupal Version8.0.0 Updatebeta15

Drupal ≫ Drupal Version8.0.0 Updatebeta16

Drupal ≫ Drupal Version8.0.0 Updatebeta2

Drupal ≫ Drupal Version8.0.0 Updatebeta3

Drupal ≫ Drupal Version8.0.0 Updatebeta4

Drupal ≫ Drupal Version8.0.0 Updatebeta6

Drupal ≫ Drupal Version8.0.0 Updatebeta7

Drupal ≫ Drupal Version8.0.0 Updatebeta9

Drupal ≫ Drupal Version8.0.0 Updaterc1

Drupal ≫ Drupal Version8.0.0 Updaterc2

Drupal ≫ Drupal Version8.0.0 Updaterc3

Drupal ≫ Drupal Version8.0.0 Updaterc4

Drupal ≫ Drupal Version8.0.1

Drupal ≫ Drupal Version8.0.2

Drupal ≫ Drupal Version8.0.3

Drupal ≫ Drupal Version8.0.4

Drupal ≫ Drupal Version8.0.5

Drupal ≫ Drupal Version8.0.6

Drupal ≫ Drupal Version8.1.0

Drupal ≫ Drupal Version8.1.0 Updatebeta1

Drupal ≫ Drupal Version8.1.0 Updatebeta2

Drupal ≫ Drupal Version8.1.0 Updaterc1

Drupal ≫ Drupal Version8.1.1

Drupal ≫ Drupal Version8.1.2

Drupal ≫ Drupal Version8.1.3

Drupal ≫ Drupal Version8.1.4

Drupal ≫ Drupal Version8.1.5

Drupal ≫ Drupal Version8.1.6

Drupal ≫ Drupal Version8.1.7

Drupal ≫ Drupal Version8.1.8

Drupal ≫ Drupal Version8.1.9

Drupal ≫ Drupal Version8.1.10

Drupal ≫ Drupal Version8.2.0

Drupal ≫ Drupal Version8.2.0 Updatebeta1

Drupal ≫ Drupal Version8.2.0 Updatebeta2

Drupal ≫ Drupal Version8.2.0 Updatebeta3

Drupal ≫ Drupal Version8.2.0 Updaterc1

Drupal ≫ Drupal Version8.2.0 Updaterc2

Drupal ≫ Drupal Version8.2.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	3.56%	0.873

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

http://www.securityfocus.com/bid/96919

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1038058

https://www.drupal.org/SA-2017-001

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2017-6381

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-6381

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-6381

EUVD