Drupal Arbitrary PHP Code Execution Vulnerability

By Fortra's Digital Defense

Drupal Arbitrary PHP Code Execution Vulnerability

On November 16th, 2020, several file manipulation vulnerabilities within the PEAR Archive_Tar library were disclosed, given CVE-2020-28948 and CVE-2020-28949.  This PEAR library is used by Drupal, although these vulnerabilities impact any platform that utilizes PEAR in their code.  If Drupal is configured to allow file uploads and the processing of files with extensions “.tar, .tar.gz, .bz2, or .tlz”, then arbitrary code execution by Drupal may be possible.  Drupal released a critical security risk notice along with corresponding patches for this vulnerability on November 25th, 2020.  Drupal versions affected are Drupal 7, 8.8.x, 8.9, and 9.0.  Please patch your systems as soon as possible, to mitigate.  More details can be found at: https://www.drupal.org/sa-core-2020-013.

Frontline.Cloud will release potential Drupal checks for these vulnerabilities with Frontline scanner release 3.0.67.0, during the week of December 7, 2020.

Copyright © Fortra, LLC and its group of companies. Fortra™, the Fortra™ logos, and other identified marks are proprietary trademarks of Fortra, LLC. | Privacy Policy | Cookie Policy | Sitemap

Share This