High severity8.1NVD Advisory· Published Mar 16, 2017· Updated May 13, 2026
CVE-2017-6381
CVE-2017-6381
Description
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0, < 8.2.7 | 8.2.7 |
drupal/drupalPackagist | >= 8.0, < 8.2.7 | 8.2.7 |
Affected products
61cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*+ 59 more
- cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*
- Drupal/Drupal Corev5Range: 8.2.x versions before 8.2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.securityfocus.com/bid/96919nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-rhx9-3qf7-r3j7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6381ghsaADVISORY
- www.drupal.org/SA-2017-001nvdMitigationVendor AdvisoryWEB
- www.securitytracker.com/id/1038058nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6381.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6381.yamlghsaWEB
News mentions
0No linked articles in our index yet.