Updates have been released for Drupal versions 7.7, 8.8, 8.9 and 9.0. Drupal is a user-friendly and powerful content management platform written in PHP, which can be used to create websites, for example. It’s simple enough for a novice user, but powerful enough to build a more complex website as well. The program includes a content management platform and a development framework. The updates contain a fix for the following security issue:
Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2020-013Project: Drupal core
Security risk: Critical 18∕25 AC: Complex / A: User / CI: All / II: All / E: Exploit / TD: Uncommon
Vulnerability: Arbitrary PHP code execution
Description: The Drupal project uses the PEAR Archive_Tar library . The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
Multiple vulnerabilities are possible if Drupal is configured to allow
.tlzfile uploads and processes them. To Mitigate this issue, preventable untrusted users from uploading
.tlzfiles. This is a different issue than SA-CORE-2019-012 . Similar configuration changes may mitigate the problem until you are able to patch.
Solution: Install the latest version:
- If you are using Drupal 9.0, update to Drupal 9.0.9
- If you are using Drupal 8.9, update to Drupal 8.9.10
- If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12
- If you are using Drupal 7, update to Drupal 7.75
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
|Version number||7.75 / 8.8.12 / 8.9.10 / 9.0.9|
|Operating systems||Script language|