Base Score

CRITICAL9.8

CVE-2017-6920

Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.

VectorNETWORK

Published Bymlhess@drupal.org

Published DateAug 06, 2018, 15:29

Affected Versions(2)

drupal/core(Packagist)

Introduced8.0

Fixed8.3.4

LimitN/A

drupal/drupal(Packagist)

Introduced8.0

Fixed8.3.4

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
drupal/core(Packagist)	8.0	8.3.4	N/A
drupal/drupal(Packagist)	8.0	8.3.4	N/A

Weakness Type (CWE):CWE-19

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

CRITICAL9.8

Weakness Type (CWE):CWE-19

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH