GHSA-gxxj-g9v8-w28p: Drupal core Arbitrary PHP code execution

May 15, 2024

The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.

References

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2020-11-25.yaml
github.com/advisories/GHSA-gxxj-g9v8-w28p
github.com/drupal/core
www.drupal.org/sa-core-2020-013

Detect and mitigate GHSA-gxxj-g9v8-w28p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →