Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

2020-11-25T00:00:00
ID DRUPAL-SA-CORE-2020-013
Type drupal
Reporter Drupal Security Team
Modified 2020-11-25T00:00:00

Description

Project:

Drupal core

Date:

2020-November-25

Security risk:

Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:Uncommon

Vulnerability:

Arbitrary PHP code execution

CVE IDs:

CVE-2020-28949

CVE-2020-28948

Description:

The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.

This is a different issue than SA-CORE-2019-012. Similar configuration changes may mitigate the problem until you are able to patch.

Solution:

Install the latest version:

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable.

Reported By:

Fixed By: