8/10/2023 0 Comments Drupal core update vulnerabilityThis is the second time in the span of a week that the Drupal core receives security updates: the earlier ones fixed a code execution vulnerability ( CVE-2020-13671) that could have been triggered by malicious files with a double extension. They also pointed out that these newly patched vulnerabilities aren’t connected to some of those patched nearly a year ago, though “similar configuration changes may mitigate the problem until you are able to patch.” However, forms added through contributed or custom modules or themes may be affected. Sites are urged to update immediately after reading the notes below and the security announcement: Drupal core - Critical - Third-party library - SA-CORE-2021-011. No forms provided by Drupal core are known to be vulnerable. This release fixes security vulnerabilities. The “known exploits” the Drupal team referenced can be found here. Maintenance and security release of the Drupal 9 series. Thus, preventing untrusted users from uploading these types of files serves as mitigation.īut, as the maintainers of the library have updated it with fixes, the Drupal team has already implemented it and the best course of action for users is upgrade their Drupal installation to versions 9.0.9, 8.9.10, 8.8.12, or 7.75 (depending on which branch they use). tlz file uploads and processes them,” the Drupal Security Team explained. “(The) vulnerabilities are possible if Drupal is configured to allow. This vulnerability is mitigated by the fact that an attacker must have a. The vulnerabilities (CVE-2020-28948, CVE-2020-28949)ĬVE-2020-28948 and CVE-2020-28949 are arbitrary PHP code execution vulnerabilities found in the open source PEAR Archive_Tar library, which Drupal uses to handle TAR files in PHP. Show advisories for only Drupal Core, only contributed projects, or only PSAs. Drupal has released out-of-band security updates to fix two critical code execution flaws (CVE-2020-28948, CVE-2020-28949) in Drupal core, as “there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |