What is CVE-2017-6381?

CVE-2017-6381 is a high-severity vulnerability in Drupal, classified under Inclusion of Functionality from Untrusted Control Sphere. CVSS score: 8.1/10. Published 2017-03-16.

How severe is CVE-2017-6381?

High severity. CVSS v3 base score is 8.1 out of 10.

Vulnerability in Drupal

CVE-2017-6381

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development de…

EPSS: 0.033 (87.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Drupal — versions 8.0.0, 8.0.1, 8.0.2
Drupal Core — versions 8.2.x versions before 8.2.7

Weakness classification (CWE)

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere

References

mlhess@drupal.org (vdb-entry, x_refsource_SECTRACK)
mlhess@drupal.org (x_refsource_CONFIRM, Mitigation, Vendor Advisory)
mlhess@drupal.org (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)

Frequently asked questions

What is CVE-2017-6381?: CVE-2017-6381 is a high-severity vulnerability in Drupal, classified under Inclusion of Functionality from Untrusted Control Sphere. CVSS score: 8.1/10. Published 2017-03-16.
How severe is CVE-2017-6381?: High severity. CVSS v3 base score is 8.1 out of 10.