Drupal core - Critical - Third-party libraries - SA-CORE-2021-001
Project: Drupal core
Date: 2021-January-20
Security risk: Critical 18∕25
Vulnerability: Third-party libraries
Description
The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see:
Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
Solution:
Install the latest version:
If you are using Drupal 9.1, update to Drupal 9.1.3.
If you are using Drupal 9.0, update to Drupal 9.0.11.
If you are using Drupal 8.9, update to Drupal 8.9.13.
If you are using Drupal 7, update to Drupal 7.78.
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.
Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability.
We value your opinion. Please add your feedback.