GHSA-rhx9-3qf7-r3j7 · Severity: high · Ecosystem: composer — Drupal Remote code execution
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments
Conclusion & alert: CVE-2017-6381 is rated Moderate Risk (64.1/100): CVSS High severity, with medium exploitation likelihood (EPSS 3.90%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 3.31% | 3.90% | +0.59% |
| 2 | 2025-11-21 | 1.23% | 3.31% | +2.08% |
| 3 | 2025-11-18 | — | 1.23% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.1 | 3.0 | HIGH |
|
2.2 | 5.9 | [email protected] |
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
GHSA-rhx9-3qf7-r3j7 · Severity: high · Ecosystem: composer — Drupal Remote code execution
| vendor | priority | summary | link |
|---|---|---|---|
ubuntu
|
medium | CVE-2017-6381 medium priority: Ubuntu including 1 source packages (drupal7), 23 status rows across 23 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, precise, questing, trusty, upstream, xenial, yakkety, zesty): DNE 16, ignored 4, needed 2, needs-triage 1. | https://ubuntu.com/security/CVE-2017-6381 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:* |
| drupal | drupal | 8.0.0 | cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:* |
| drupal | drupal | 8.0.1 | cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:* |
| drupal | drupal | 8.0.2 | cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:* |
| drupal | drupal | 8.0.3 | cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:* |
| drupal | drupal | 8.0.4 | cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:* |
| drupal | drupal | 8.0.5 | cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:* |
| drupal | drupal | 8.0.6 | cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.0 | cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.0 | cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:* |
| drupal | drupal | 8.1.0 | cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:* |
| drupal | drupal | 8.1.0 | cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:* |
| drupal | drupal | 8.1.1 | cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.2 | cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.3 | cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.4 | cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.5 | cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.6 | cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.7 | cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.8 | cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.9 | cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:* |
| drupal | drupal | 8.1.10 | cpe:2.3:a:drupal:drupal:8.1.10:*:*:*:*:*:*:* |
| drupal | drupal | 8.2.0 | cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:* |
| drupal | drupal | 8.2.0 | cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:* |
| drupal | drupal | 8.2.0 | cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:* |
| drupal | drupal | 8.2.0 | cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:* |
| drupal | drupal | 8.2.0 | cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:* |
| drupal | drupal | 8.2.0 | cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:* |
| drupal | drupal | 8.2.1 | cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/96919 | Third Party Advisory VDB Entry |
| http://www.securitytracker.com/id/1038058 | |
| https://www.drupal.org/SA-2017-001 | Mitigation Vendor Advisory |