View online: https://www.drupal.org/sa-core-2020-013
Project: Drupal core [1] Date: 2020-November-25 Security risk: *Critical* 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:Uncommon [2] Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-28949CVE-2020-28948 Description: The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
* CVE-2020-28948 [3] * CVE-2020-28949 [4]
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.
*To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2 or .tlz files.*
This is a different issue than SA-CORE-2019-12 [5], similar configuration changes may mitigate the problem until you are able to patch.
Solution: Install the latest version:
* If you are using Drupal 9.0, update to Drupal 9.0.9 [6] * If you are using Drupal 8.9, update to Drupal 8.9.10 [7] * If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12 [8] * If you are using Drupal 7, update to Drupal 7.75 [9]
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
According to the regular security release window schedule [10], November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable.
Reported By: * Luke Stewart [11]
Fixed By: * Jess [12] of the Drupal Security Team * Drew Webber [13] of the Drupal Security Team * Michael Hess [14] of the Drupal Security Team * Neil Drumm [15] of the Drupal Security Team * Lee Rowlands [16] of the Drupal Security Team
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948 [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949 [5] https://www.drupal.org/sa-core-2019-012 [6] https://www.drupal.org/project/drupal/releases/9.0.9 [7] https://www.drupal.org/project/drupal/releases/8.9.10 [8] https://www.drupal.org/project/drupal/releases/8.8.12 [9] https://www.drupal.org/project/drupal/releases/7.75 [10] https://www.drupal.org/node/1173280 [11] https://www.drupal.org/user/3564081 [12] https://www.drupal.org/user/65776 [13] https://www.drupal.org/user/255969 [14] https://www.drupal.org/user/102818 [15] https://www.drupal.org/user/3064 [16] https://www.drupal.org/user/395439