CVE-2017-6381

State: PUBLISHED · Published: 2017-03-16 · Updated: 2024-08-05 · Assigner: drupal

Description

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments

CWE

(none)

Affected

Drupal / Drupal Core — v=8.2.x versions before 8.2.7 [affected]

CVSS

(none)

References

http://www.securitytracker.com/id/1038058 vdb-entry, x_refsource_SECTRACK
https://www.drupal.org/SA-2017-001 x_refsource_CONFIRM
http://www.securityfocus.com/bid/96919 vdb-entry, x_refsource_BID

Source

cvelistV5-main/cves/2017/6xxx/CVE-2017-6381.json