I. Overview

Drupal has officially released a security notice that disclosed the serious arbitrary PHP code execution vulnerabilities (CVE-2020-28949 and CVE-2020-28948). Attackers can exploit these vulnerabilities to upload malicious .tar, .tar.gz, .bz2, and .tlz files to remotely execute code.

If you are a Drupal user, check your system and implement timely security hardening.

References:

https://www.drupal.org/sa-core-2020-013

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Drupal 9.0.x versions earlier than 9.0.9

Drupal 8.9.x versions earlier than 8.9.10

Drupal 8.8.x versions earlier than 8.8.12

Drupal 7.x versions earlier than 7.75

Secure versions:

Drupal 9.0.9

Drupal 8.9.10

Drupal 8.8.12

Drupal 7.75

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://www.drupal.org/project/drupal/releases

Other Workarounds:

Prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.