6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.066 Low
EPSS
Percentile
93.8%
A 3rd party development library including with Drupal 8 development
dependencies is vulnerable to remote code execution. This is mitigated by
the default .htaccess protection against PHP execution, and the fact that
Composer development dependencies aren’t normal installed. You might be
vulnerable to this if you are running a version of Drupal before 8.2.2. To
be sure you aren’t vulnerable, you can remove the <siteroot>/vendor/phpunit
directory from your production deployments
Author | Note |
---|---|
ratliff | Ubuntu doesn’t package drupal8 and it is unclear whether this vulnerability impacts drupal7, it needs a bit more investigation |
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.066 Low
EPSS
Percentile
93.8%