Security News > 2021 > January > Drupal releases fix for critical vulnerability with known exploits
Drupal has released a security update to address a critical vulnerability in a third-party library with documented or deployed exploits available in the wild.
"The Drupal project uses the pear Archive Tar library, which has released a security update that impacts Drupal," the Drupal security team said.
Exploiting the Drupal vulnerability is only possible if the CMS is configured to allow and process.
This vulnerability is related to another critical security flaw with known exploits caused by the CVE-2020-28948 bug in the PEAR Archive Tar library that could allow for arbitrary PHP code execution on some CMS versions.
Drupal issued an out-of-band emergency security update to fix it in November allowing admins to quickly patch their servers to defend them against potential attacks.
Drupal patched another critical remote code execution vulnerability tracked as CVE-2020-13671 and allowing attackers to execute malicious code on vulnerable servers due to improper filenames sanitization for uploaded files.
News URL
Related news
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan (source)
- PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433) (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-20 | CVE-2020-13671 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. | 8.8 |
| 2020-11-19 | CVE-2020-28948 | Deserialization of Untrusted Data vulnerability in multiple products Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | 7.8 |