Drupal Releases Emergency Fix For Critical Bug With Known Exploits

Must Read
Sienna Rowley
Sienna is an editor at Cloud Host News. She is an internet enthusiast, always eager to explore the latest trend in the tech space. In her free time, she is a modest family woman who loves traveling.

Drupal has released an emergency fix for critical flaws with known exploits that could be exploited to enable arbitrary PHP code executions on some selective CMS versions.

The Drupal project utilizes the PEAR Archive_Tar library that was recently updated to address the CVE-2020-28948 and CVE-2020-28949.

As a result, several vulnerabilities affect the installation of Drupal while they are configured to enable .tar, .tar.gz, .bz2, or .tlz file uploads and process them.

The advisory published by CISA states that Drupal has released security updates for addressing vulnerabilities in Drupal 7, 8.8 and earlier, 8.9, and 9.0. An attacker could exploit this vulnerability to take control of the system which has been affected by this vulnerability.

To address the issues, Drupal released the following updates:

  • Drupal 9.0 users should update to Drupal 9.0.9
  • Drupal 8.9 users should update to Drupal 8.9.10
  • Drupal 8.8 or earlier users should update to Drupal 8.8.12
  • Drupal 7 users should update to Drupal 7.75

Drupal security team further added that versions of Drupal 8 before 8.8.x are end-of-life and won’t receive a security update.

The team also suggests minimizing this issue by restricting unauthenticated users from uploading .tar, .tar.gz, .bz2, or .tlz files.

Currently, around 944,000 websites are utilizing the vulnerable Drupal versions out of a total of 1,120,941 websites as per the official stats stated on their website.

Drupal is the fourth most popular CMS on the Internet after WordPress, Shopify and Joomla.

Are you looking for more security updates? Subscribe to our newsletter for the latest security news right from the security and research industries. 

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

DoppelPaymer ransomware operation getting rebranded, now named as Grief (alias Pay or Grief)

Doppel Paymer ransomware operation made a rebranding move. Following a period of little or no activity, now they are back...

More Articles Like This