Drupal has patched a Critical third-party library vulnerability that affects multiple versions of Drupal Core.
A remote attacker could exploit this vulnerability to compromise an affected system.
The Drupal update SA-CORE-2021-001 patches a Critical pear Archive_Tar third-party library vulnerability CVE-2020-36193. The issue affects Drupal 7, 8.9, 9.0 and and 9.1.
“Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them,” Drupal wrote in the security advisory.
According to the Mitre CVE, Tar.php in Archive_Tar (through 1.4.11) vulnerability is caused by write operations with directory traversal due to inadequate checking of symbolic links. The flaw is also related to a previously patched Drupal PHP coded execution issue CVE-2020-28948.
Drupal admins can also disable uploads of
.tlz files to mitigate the vulnerability.
Finally, readers can also check out the Archive_Tar code updates posted to GitHub.