Security News > 2021 > January > Drupal Updates Patch Another Vulnerability Related to Archive Files
Security updates released this week by the developers of the Drupal content management system patch a vulnerability identified in a third-party library.
Core patches were made available for Drupal 9.1, 9.0, 8.9, and 7, to resolve a security flaw affecting PEAR Archive Tar, and which also impacts Drupal.
The Drupal development team explains that attackers could exploit the vulnerability if the CMS is configured to allow for the upload and processing of.
No security patches are available for Drupal 8 prior to 8.9.x, as those releases have reached end-of-life.
The newly addressed vulnerability is related to CVE-2020-28948, an issue in the same third-party library that could have been abused for the execution of arbitrary PHP code or to overwrite files, and which also impacted Drupal deployments configured to allow.
In late November, Drupal released out-of-band security updates to resolve the vulnerability, after the researcher who reported the issue released proof-of-concept exploits.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-19 | CVE-2020-28948 | Deserialization of Untrusted Data vulnerability in multiple products Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | 7.8 |