CVE-2020-28949, CVE-2020-28948: Drupal Arbitrary PHP Code Execution Vulnerability Alert

CVE-2020-28949, CVE-2020-28948: Drupal Arbitrary PHP Code Execution Vulnerability Alert

On November 25, 2020, Drupal issued a risk notice for Drupal code execution vulnerabilities, the vulnerability number is CVE-2020-28949/CVE-2020-28948. The vulnerability level is a high risk. Remote attackers can cause arbitrary code execution by uploading specially constructed .tar, .tar.gz, .bz2, and .tlz files.
Drupal Remote Code Execution

Vulnerability Detail

The PEAR Archive_Tar library is used in the Drupal project to manage files, and the library has security vulnerabilities. If Drupal is configured to allow uploading of .tar, .tar.gz, .bz2, .tlz files and processing them, it may cause code execution.

Affected version

  • Drupal: 9.0
  • Drupal: 8.9
  • Drupal: 8.8.x
  • Drupal: 7

Unaffected version

  • Drupal: 9.0.9
  • Drupal: 8.9.10
  • Drupal: 8.8.12
  • Drupal: 7.75

Solution

In this regard, we recommend that users upgrade Drupal to the latest version in time.