Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar
High severity
GitHub Reviewed
Published
May 15, 2024
to the GitHub Advisory Database
•
Updated May 15, 2024
Package
Affected versions
>= 7.0.0, < 7.69
>= 8.0.0, < 8.7.11
>= 8.8.0, < 8.8.1
Patched versions
7.69
8.7.11
8.8.1
Description
Published to the GitHub Advisory Database
May 15, 2024
Reviewed
May 15, 2024
Last updated
May 15, 2024
The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations.
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.
The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.
References