[Security-news] Drupal core - Critical - Remote code execution - SA-CORE-2020-012
security-news at drupal.org
security-news at drupal.org
Wed Nov 18 17:56:30 UTC 2020
View online: https://www.drupal.org/sa-core-2020-012
Project: Drupal core [1]
Date: 2020-November-18
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Remote code execution
CVE IDs: CVE-2020-13671
Description:
Drupal core does not properly sanitize certain filenames on uploaded files,
which can lead to files being interpreted as the incorrect extension and
served as the wrong MIME type or executed as PHP for certain hosting
configurations.
Solution:
Install the latest version:
* If you are using Drupal 9.0, update to Drupal 9.0.8 [3]
* If you are using Drupal 8.9, update to Drupal 8.9.9 [4]
* If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11 [5]
* If you are using Drupal 7, update to Drupal 7.74 [6]
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage.
Additionally, it's recommended that you audit all previously uploaded files
to check for malicious extensions. Look specifically for files that include
more than one extension, like .php.txt or .html.gif.
Reported By:
* ufku [7]
* Mark Ferree [8]
* Frédéric G. Marand [9]
* Samuel Mortenson [10] of the Drupal Security Team
* Derek Wright [11]
Fixed By:
* Heine [12] of the Drupal Security Team
* ufku [13]
* Mark Ferree [14]
* Michael Hess [15] of the Drupal Security Team
* David Rothstein [16] of the Drupal Security Team
* Peter Wolanin [17] of the Drupal Security Team
* Jess [18] of the Drupal Security Team
* Frédéric G. Marand [19]
* Stefan Ruijsenaars [20]
* David Snopek [21] of the Drupal Security Team
* Rick Manelius [22]
* David Strauss [23] of the Drupal Security Team
* Samuel Mortenson [24] of the Drupal Security Team
* Ted Bowman [25]
* Alex Pott [26] of the Drupal Security Team
* Derek Wright [27]
* Lee Rowlands [28] of the Drupal Security Team
* Kim Pepper [29]
* Wim Leers [30]
* Nate Lampton [31]
* Drew Webber [32] of the Drupal Security Team
* Fabian Franz [33]
* Alex Bronstein [34] of the Drupal Security Team
* Neil Drumm [35] of the Drupal Security Team
* Joseph Zhao [36]
* Ryan Aslett [37]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/9.0.8
[4] https://www.drupal.org/project/drupal/releases/8.9.9
[5] https://www.drupal.org/project/drupal/releases/8.8.11
[6] https://www.drupal.org/project/drupal/releases/7.74
[7] https://www.drupal.org/user/9910
[8] https://www.drupal.org/user/76245
[9] https://www.drupal.org/user/27985
[10] https://www.drupal.org/user/2582268
[11] https://www.drupal.org/user/46549
[12] https://www.drupal.org/user/17943
[13] https://www.drupal.org/user/9910
[14] https://www.drupal.org/user/76245
[15] https://www.drupal.org/user/102818
[16] https://www.drupal.org/user/124982
[17] https://www.drupal.org/user/49851
[18] https://www.drupal.org/user/65776
[19] https://www.drupal.org/user/27985
[20] https://www.drupal.org/user/551886
[21] https://www.drupal.org/user/266527
[22] https://www.drupal.org/user/680072
[23] https://www.drupal.org/user/93254
[24] https://www.drupal.org/user/2582268
[25] https://www.drupal.org/user/240860
[26] https://www.drupal.org/user/157725
[27] https://www.drupal.org/user/46549
[28] https://www.drupal.org/user/395439
[29] https://www.drupal.org/user/370574
[30] https://www.drupal.org/user/99777
[31] https://www.drupal.org/user/35821
[32] https://www.drupal.org/user/255969
[33] https://www.drupal.org/user/693738
[34] https://www.drupal.org/user/78040
[35] https://www.drupal.org/user/3064
[36] https://www.drupal.org/user/1987218
[37] https://www.drupal.org/user/391689
More information about the Security-news
mailing list