Security News > 2021 > January > Drupal Updates Patch Another Vulnerability Related to Archive Files

Drupal Updates Patch Another Vulnerability Related to Archive Files
2021-01-21 16:13

Security updates released this week by the developers of the Drupal content management system patch a vulnerability identified in a third-party library.

Core patches were made available for Drupal 9.1, 9.0, 8.9, and 7, to resolve a security flaw affecting PEAR Archive Tar, and which also impacts Drupal.

The Drupal development team explains that attackers could exploit the vulnerability if the CMS is configured to allow for the upload and processing of.

No security patches are available for Drupal 8 prior to 8.9.x, as those releases have reached end-of-life.

The newly addressed vulnerability is related to CVE-2020-28948, an issue in the same third-party library that could have been abused for the execution of arbitrary PHP code or to overwrite files, and which also impacted Drupal deployments configured to allow.

In late November, Drupal released out-of-band security updates to resolve the vulnerability, after the researcher who reported the issue released proof-of-concept exploits.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/oI32UTcwc8g/drupal-updates-patch-another-vulnerability-related-archive-files

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-11-19 CVE-2020-28948 Deserialization of Untrusted Data vulnerability in multiple products
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
local
low complexity
php debian fedoraproject drupal CWE-502
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Drupal 15 0 66 45 14 125