Security Experts:

Connect with us

Hi, what are you looking for?



Drupal Releases Out-of-Band Security Updates Due to Availability of Exploits

The developers of the Drupal content management system (CMS) released out-of-band security updates right before Thanksgiving due to the availability of exploits.

The developers of the Drupal content management system (CMS) released out-of-band security updates right before Thanksgiving due to the availability of exploits.

The core updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 address a couple of vulnerabilities affecting PEAR Archive_Tar, a third-party library designed for handling .tar files in PHP.

The developers of the library released an update recently to address two vulnerabilities, tracked as CVE-2020-28948 and CVE-2020-28949, that can be exploited to bypass Phar unresialization protections.

Exploitation involves manipulating file names and it can allow an attacker to execute arbitrary PHP code or overwrite files, including important files such as /etc/passwd and /etc/shadow.

The researcher who reported the vulnerabilities to PEAR developers also made public proof-of-concept (PoC) exploits so Drupal decided to roll out the patches to its users as soon as possible.

“According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable,” Drupal noted in its advisory.

Drupal developers pointed out that exploitation is possible if the CMS is configured to allow uploading .tar, .tar.gz, .bz2 or .tlz files. Similar vulnerabilities related to the same PEAR library were patched one year ago, but Drupal noted that they are not related, although the same types of configuration changes can mitigate the issue. The recommended mitigation involves preventing untrusted users from uploading files with the aforementioned extensions.

The latest updates have been assigned a “critical” severity rating, but it’s worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with “critical” being only the second highest rating, after “highly critical.”

This is the sixth security update released this year for Drupal. The fifth was released earlier this month to patch a remote code execution vulnerability related to failure to properly sanitize the names of uploaded files.

Related: XSS, Open Redirect Vulnerabilities Patched in Drupal

Related: Drupal Patches Code Execution Flaw Most Likely to Impact Windows Servers

Related: Critical Drupal Vulnerability Allows Remote Code Execution

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet