CVE-2020-28949, CVE-2020-28948: Drupal Arbitrary PHP Code Execution Vulnerability Alert
On November 25, 2020, Drupal issued a risk notice for Drupal code execution vulnerabilities, the vulnerability number is CVE-2020-28949/CVE-2020-28948. The vulnerability level is a high risk. Remote attackers can cause arbitrary code execution by uploading specially constructed .tar, .tar.gz, .bz2, and .tlz files.
Vulnerability Detail
The PEAR Archive_Tar library is used in the Drupal project to manage files, and the library has security vulnerabilities. If Drupal is configured to allow uploading of .tar, .tar.gz, .bz2, .tlz files and processing them, it may cause code execution.
Affected version
- Drupal: 9.0
- Drupal: 8.9
- Drupal: 8.8.x
- Drupal: 7
Unaffected version
- Drupal: 9.0.9
- Drupal: 8.9.10
- Drupal: 8.8.12
- Drupal: 7.75
Solution
In this regard, we recommend that users upgrade Drupal to the latest version in time.