Critical Vulnerabilities in Drupal 7, 8.8, 8.9, and 9.0

Published on 30 Nov 2020

Updated on 21 Jan 2021

Drupal has released security updates to address two critical vulnerabilities (CVE-2020-28948 and CVE-2020-28949) affecting Drupal 7, 8.8, 8.9, and 9.0.

The vulnerabilities are caused by the third-party PEAR Archive_Tar library, used by Drupal Content Management System (CMS) specifically if the CMS is configured to allow and process .tar, .tar.gz, .bz2, or .tlz file uploads. The exploit codes for the vulnerabilities are now publicly available.

Successful exploitation of the vulnerabilities could allow an attacker to perform arbitrary PHP code execution on affected systems. 

Users and System Administrators are advised to patch the following versions on affected servers immediately:

  • Drupal 9.0 users should update to Drupal 9.0.9
  • Drupal 8.9 users should update to Drupal 8.9.10
  • Drupal 8.8 or earlier users should update to Drupal 8.8.12
  • Drupal 7 users should update to Drupal 7.75

         Note: Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security patch.

If patching is not possible, users and system administrators are advised to temporarily mitigate the vulnerabilities by preventing untrusted users from uploading .tar, .tar.gz, .bz2, and .tlz files.

More information is available here:

https://www.drupal.org/sa-core-2020-013