Published on: 30 November 2020
Drupal has released a security advisory to address two vulnerabilities in PEAR Archive_Tar library which is used in Drupal Core by default. Systems which allow users to upload files with extensions .tar, .tar.gz, .bz2, or .tlz are affected. A remote attacker with necessary privileges may upload a maliciously crafted file to a vulnerable system to exploit the vulnerabilities.
Exploits against the vulnerabilities (CVE-2020-28948 and CVE-2020-28949) has been observed and a proof-of-concept exploit is publicly available on the Internet. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.
Please note that Drupal 8 prior to version 8.8.x has reached its End-Of-Life (EOL). No security updates will be provided after that. Users should arrange upgrading the Drupal to supported versions or migrating to other supported technology.
A successful attack could lead to remote code execution on an affected system.
The product vendor has released patches to address the issues.
https://www.drupal.org/sa-core-2020-013
https://www.drupal.org/core/release-cycle-overview
https://www.hkcert.org/my_url/en/alert/20113001
https://us-cert.cisa.gov/ncas/current-activity/2020/11/27/drupal-releases-security-updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949