CVE-2017-6381 : A 3rd party development library including with Drupal 8 development dependencies

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments

Published 2017-03-16 14:59:00

Updated 2019-10-03 00:03:26

Source Drupal.org

View at NVD, CVE.org

Vulnerability category: File inclusionExecute code

Products affected by CVE-2017-6381

Drupal » Drupal » Version: 8.0.3
cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.2
cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.1
cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0
cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta6
cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta4
cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta3
cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta2
cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update RC3
cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update RC1
cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta12
cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta10
cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta7
cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta1
cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha14
cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha7
cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha5
cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha4
cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha3
cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha2
cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta16
cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta15
cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta14
cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta13
cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha12
cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha11
cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha10
cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha9
cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update RC4
cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update RC2
cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta11
cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Beta9
cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha15
cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha13
cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha8
cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.0 Update Alpha6
cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.0 Update RC1
cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.0
cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.4
cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.1
cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.2
cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.5
cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.0.6
cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.0 Update Beta1
cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.0 Update Beta2
cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.5
cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.7
cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.8
cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.9
cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.3
cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.4
cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.6
cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.2.0 Update RC2
cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.2.0 Update RC1
cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.2.1
cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.2.0
cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.2.0 Update Beta3
cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.2.0 Update Beta2
cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.2.0 Update Beta1
cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*
Matching versions
Drupal » Drupal » Version: 8.1.10
cpe:2.3:a:drupal:drupal:8.1.10:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-6381

EPSS FAQ

5.38%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 89 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-6381

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-6381

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-6381

https://www.drupal.org/SA-2017-001

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001 | Drupal.org
Mitigation;Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1038058

Drupal Multiple Flaws Let Remote Users Conduct Cross-Site Request Forgery Attacks and Execute Arbitrary Code and Let Remote Authenticated Users Access Files on the Target System - SecurityTracker

CVEs referencing this url
http://www.securityfocus.com/bid/96919

Drupal Core DRUPAL-SA-CORE-2017-001 Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-6381

Products affected by CVE-2017-6381

Exploit prediction scoring system (EPSS) score for CVE-2017-6381

CVSS scores for CVE-2017-6381

CWE ids for CVE-2017-6381

References for CVE-2017-6381