Drupal has patched a Critical third-party library vulnerability that affects multiple versions of Drupal Core.
A remote attacker could exploit this vulnerability to compromise an affected system.
The Drupal update SA-CORE-2021-004 patches a Critical pear Archive_Tar third-party library vulnerability CVE-2021-32610. The issue affects Drupal 7, 8.9, 9.1 and 9.2.
“Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source,” Drupal wrote in the security advisory.
Reader may also recall earlier this year when Drupal patched another Critical pear Archive_Tar third-party library vulnerability CVE-2020-36193. The issue was caused by write operations with directory traversal due to inadequate checking of symbolic links
- Drupal fixes ‘Moderately Critical’ XSS bug in CKEditor library
- Drupal patches Critical third-party library vulnerability (CVE-2020-36193)
- Drupal patches 2 Critical arbitrary PHP code execution vulnerabilities
- Drupal patches Critical RCE vulnerability (CVE-2020-13671)
- Drupal fixes Critical XSS bug and 4 other vulnerabilities.