GHSA-j66p-fvp2-fxhj: Drupal core Arbitrary PHP code execution

May 15, 2024

The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.

References

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2020-11-25.yaml
github.com/advisories/GHSA-j66p-fvp2-fxhj
github.com/drupal/drupal
www.drupal.org/sa-core-2020-013

Code Behaviors & Features

Detect and mitigate GHSA-j66p-fvp2-fxhj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →