Drupal Arbitrary PHP Code Execution Vulnerability
On November 16th, 2020, several file manipulation vulnerabilities within the PEAR Archive_Tar library were disclosed, given CVE-2020-28948 and CVE-2020-28949. This PEAR library is used by Drupal, although these vulnerabilities impact any platform that utilizes PEAR in their code. If Drupal is configured to allow file uploads and the processing of files with extensions “.tar, .tar.gz, .bz2, or .tlz”, then arbitrary code execution by Drupal may be possible. Drupal released a critical security risk notice along with corresponding patches for this vulnerability on November 25th, 2020. Drupal versions affected are Drupal 7, 8.8.x, 8.9, and 9.0. Please patch your systems as soon as possible, to mitigate. More details can be found at: https://www.drupal.org/sa-core-2020-013.
Frontline.Cloud will release potential Drupal checks for these vulnerabilities with Frontline scanner release 126.96.36.199, during the week of December 7, 2020.