I. Overview

Drupal released an important remote code execution vulnerability (CVE-2021-32610), which is caused by the third-party library pear Archive_Tar. If contrib or custom code uses this library to extract tar archives (such as .tar, .tar.gz, .bz2, or .tlz files) from potentially untrusted sources, this vulnerability may be exploited by malicious attackers to execute remote code.

If you are a Drupal user, check your Drupal version and implement timely security hardening.

Reference:

https://www.drupal.org/sa-core-2021-004

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Drupal 9.1.x versions before 9.1.11

Drupal 9.2.x versions before 9.2.2

Drupal 8.9.x versions before 8.9.17

Drupal 7.x versions before 7.82

 (Drupal 8.x before 8.9 and Drupal before 9.x before 9.1 are no longer maintained and cannot be protected.)

Secure versions:

Drupal 9.1.11

Drupal 9.2.2

Drupal 8.9.17

Drupal 7.82

IV. Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.