Security News > 2020 > November > Out-of-band Drupal security updates fix bugs with known exploits
Drupal has released out-of-band security updates to fix two critical code execution flaws in Drupal core, as "There are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable."
CVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive Tar library, which Drupal uses to handle TAR files in PHP. "(The) vulnerabilities are possible if Drupal is configured to allow.
Tlz file uploads and processes them," the Drupal Security Team explained.
As the maintainers of the library have updated it with fixes, the Drupal team has already implemented it and the best course of action for users is upgrade their Drupal installation to versions 9.0.9, 8.9.10, 8.8.12, or 7.75.
This is the second time in the span of a week that the Drupal core receives security updates: the earlier ones fixed a code execution vulnerability that could have been triggered by malicious files with a double extension.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/HIY-5KxQlLo/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-19 | CVE-2020-28948 | Deserialization of Untrusted Data vulnerability in multiple products Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | 7.8 |
| 2020-11-19 | CVE-2020-28949 | Injection vulnerability in multiple products Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | 7.8 |