PT-2017-17026 · Drupal · Drupal

Timo Hilsdorf

Published

2017-03-16

Updated

2022-05-13

CVE-2017-6381

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Drupal versions prior to 8.2.2

Description A third-party development library included with Drupal 8 development dependencies is susceptible to remote code execution. However, this issue is mitigated by the default .htaccess protection against PHP execution and the fact that Composer development dependencies are not normally installed.

Recommendations For versions prior to 8.2.2, consider removing the /vendor/phpunit directory from production deployments to mitigate the risk.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-829

Related Identifiers

CVE-2017-6381

GHSA-RHX9-3QF7-R3J7

Affected Products

Drupal

PT-2017-17026 · Drupal · Drupal

CVE-2017-6381

Weakness Enumeration

Related Identifiers

Affected Products

References · 12