Inclusion of Functionality from Untrusted Control Sphere

CVE-2017-6381

High

8.1/10

Summary

A 3rd party development library included with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normally installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.7 or 8.3.x before 8.3.0-rc2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References

Advisory

Advisory Timeline

Published Mar 16, 2017

Inclusion of Functionality from Untrusted Control Sphere

CVE-2017-6381

Summary

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS