Drupal has released out-of-band security updates to fix two critical code execution flaws (CVE-2020-28948, CVE-2020-28949) in Drupal core, as “there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”
The vulnerabilities (CVE-2020-28948, CVE-2020-28949)
CVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive_Tar library, which Drupal uses to handle TAR files in PHP.
“(The) vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them,” the Drupal Security Team explained. Thus, preventing untrusted users from uploading these types of files serves as mitigation.
But, as the maintainers of the library have updated it with fixes, the Drupal team has already implemented it and the best course of action for users is upgrade their Drupal installation to versions 9.0.9, 8.9.10, 8.8.12, or 7.75 (depending on which branch they use).
The “known exploits” the Drupal team referenced can be found here.
They also pointed out that these newly patched vulnerabilities aren’t connected to some of those patched nearly a year ago, though “similar configuration changes may mitigate the problem until you are able to patch.”
This is the second time in the span of a week that the Drupal core receives security updates: the earlier ones fixed a code execution vulnerability (CVE-2020-13671) that could have been triggered by malicious files with a double extension.