Drupal Releases Emergency Fix For Critical Bug With Known Exploits

Must Read
Sienna Rowley
Sienna Rowley
Sienna is an editor at Cloud Host News. She is an internet enthusiast, always eager to explore the latest trend in the tech space. She is a modest family woman who loves traveling in her free time.

Drupal has released an emergency fix for critical flaws with known exploits that could be exploited to enable arbitrary PHP code executions on some selective CMS versions.

The Drupal project utilizes the PEAR Archive_Tar library that was recently updated to address the CVE-2020-28948 and CVE-2020-28949.

As a result, several vulnerabilities affect the installation of Drupal while they are configured to enable .tar, .tar.gz, .bz2, or .tlz file uploads and process them.

The advisory published by CISA states that Drupal has released security updates for addressing vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of the system which has been affected by this vulnerability.

To address the issues, Drupal released the following updates:

  • Drupal 9.0 users should update to Drupal 9.0.9
  • Drupal 8.9 users should update to Drupal 8.9.10
  • Drupal 8.8 or earlier users should update to Drupal 8.8.12
  • Drupal 7 users should update to Drupal 7.75

Drupal security team further added that versions of Drupal 8 before 8.8.x are end-of-life and won’t receive a security update.

The team also suggests minimizing this issue by restricting unauthenticated users from uploading .tar, .tar.gz, .bz2, or .tlz files.

Currently, around 944,000 websites are utilizing the vulnerable Drupal versions out of a total of 1,120,941 websites as per the official stats stated on their website.

Drupal is the fourth most popular CMS on the Internet after WordPress, Shopify and Joomla.

Are you looking for more security updates? Subscribe to our newsletter for the latest security news right from the security and research industries. 

- Advertisement -spot_img
Latest News

SparkyLinux 6.6 Now Available to Download

Debian-based GNU/Linux distro, SparkyLinux has got a new update Sparky 6.6 named as Po Tolo. Based on Debian 11, Sparky...
- Advertisement -spot_img

More Articles Like This