CVE-2017-6381 Information

Description

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution and the fact that Composer development dependencies aren’t normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren’t vulnerable you can remove the siteroot/vendor/phpunit directory from your production deployments

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/96919 http://www.securitytracker.com/id/1038058 https://www.drupal.org/SA-2017-001

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1