Security News > 2020 > November > Out-of-band Drupal security updates fix bugs with known exploits

Out-of-band Drupal security updates fix bugs with known exploits
2020-11-27 19:57

Drupal has released out-of-band security updates to fix two critical code execution flaws in Drupal core, as "There are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable."

CVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive Tar library, which Drupal uses to handle TAR files in PHP. "(The) vulnerabilities are possible if Drupal is configured to allow.

Tlz file uploads and processes them," the Drupal Security Team explained.

As the maintainers of the library have updated it with fixes, the Drupal team has already implemented it and the best course of action for users is upgrade their Drupal installation to versions 9.0.9, 8.9.10, 8.8.12, or 7.75.

This is the second time in the span of a week that the Drupal core receives security updates: the earlier ones fixed a code execution vulnerability that could have been triggered by malicious files with a double extension.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/HIY-5KxQlLo/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-11-19 CVE-2020-28948 Deserialization of Untrusted Data vulnerability in multiple products
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
local
low complexity
php debian fedoraproject drupal CWE-502
7.8
2020-11-19 CVE-2020-28949 Injection vulnerability in multiple products
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
local
low complexity
php debian fedoraproject drupal CWE-74
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Drupal 15 0 66 45 14 125