[Security-news] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

security-news at drupal.org security-news at drupal.org
Thu Nov 26 03:26:15 UTC 2020


View online: https://www.drupal.org/sa-core-2020-013

Project: Drupal core [1]
Date: 2020-November-25
Security risk: *Critical* 18∕25
AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:Uncommon [2]
Vulnerability: Arbitrary PHP code execution

CVE IDs: CVE-2020-28949CVE-2020-28948
Description: 
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar
library has released a security update that impacts Drupal. For more
information please see:

   * CVE-2020-28948 [3]
   * CVE-2020-28949 [4]

Multiple vulnerabilities are possible if Drupal is configured to allow .tar,
.tar.gz, .bz2 or .tlz file uploads and processes them.

*To mitigate this issue, prevent untrusted users from uploading .tar,
.tar.gz, .bz2 or .tlz files.*

This is a different issue than SA-CORE-2019-12 [5], similar configuration
changes may mitigate the problem until you are able to patch.

Solution: 
Install the latest version:

   * If you are using Drupal 9.0, update to Drupal 9.0.9 [6]
   * If you are using Drupal 8.9, update to Drupal 8.9.10 [7]
   * If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12 [8]
   * If you are using Drupal 7, update to Drupal 7.75 [9]

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage.

According to the regular security release window schedule [10], November 25th
would not typically be a core security window. However, this release is
necessary because there are known exploits for one of core's dependencies and
some configurations of Drupal are vulnerable.

Reported By: 
   * Luke Stewart [11]

Fixed By: 
   * Jess  [12] of the Drupal Security Team
   * Drew Webber [13] of the Drupal Security Team
   * Michael Hess [14] of the Drupal Security Team
   * Neil Drumm [15] of the Drupal Security Team
   * Lee Rowlands [16] of the Drupal Security Team


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949
[5] https://www.drupal.org/sa-core-2019-012
[6] https://www.drupal.org/project/drupal/releases/9.0.9
[7] https://www.drupal.org/project/drupal/releases/8.9.10
[8] https://www.drupal.org/project/drupal/releases/8.8.12
[9] https://www.drupal.org/project/drupal/releases/7.75
[10] https://www.drupal.org/node/1173280
[11] https://www.drupal.org/user/3564081
[12] https://www.drupal.org/user/65776
[13] https://www.drupal.org/user/255969
[14] https://www.drupal.org/user/102818
[15] https://www.drupal.org/user/3064
[16] https://www.drupal.org/user/395439



More information about the Security-news mailing list