I. Overview

Drupal has officially released a security notice that disclosed a remote code execution vulnerability (CVE-2020-36193). This vulnerability was caused by the third-party library pear/archive_tar. If Drupal allows .tar, .tar.gz, .bz2, and .tlz to be uploaded and processed, attackers will have a chance to remotely execute code.

If you are a Drupal user, check your Drupal version and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://www.drupal.org/sa-core-2021-001

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Drupal before 9.1.3 in Drupal 9.1 series

Drupal before 9.0.11 in Drupal 9.0 series

Drupal before 8.9.13 in Drupal 8.9 series

Drupal before 7.78 in Drupal 7 series

(Drupal before 8.9.x in Drupal 8 series is no longer maintained and cannot be protected.)

Secure versions:

Drupal 9.1.3 in Drupal 9.1 series

Drupal 9.0.11 in Drupal 9.0 series

Drupal 8.9.13 in Drupal 8.9 series

Drupal 7.78 in Drupal 7 series

IV. Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.