Drupal Core announced multiple critical vulnerabilities that impact some of its configurations for versions: 8.8.x-dev, 8.7.x-dev, and 7.x-dev.
The Drupal project uses the third-party library Archive_Tar, which released a security update - SA-CORE-2019-012, according to a Dec. 18 advisory.
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.
The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.
Drupal also advises users to install the latest versions:
- If you are using Drupal 7.x, upgrade to Drupal 7.69.
- If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11.
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1.
In addition, updating to the Drupal 7.x core release will apply the fixes for all the below: