Updates fix two vulnerabilities named CVE-2020-28948 and CVE-2020-28949.
Exploitation involves manipulating filenames and can allow an attacker to execute PHP code or overwrite files, including important files such as / etc / passwd and / etc / shadow.
The researcher who mentioned the vulnerabilities, published and proof-of-concept (PoC) exploits, That's why Drupal developers decided to release special updates for them users, to protect them from a possible attack.
According to the update schedule, the patch released on November 25 is not a basic update. However, this was necessary because there are known exploits that make certain Drupal configurations vulnerable to attacks.
Drupal developers have pointed out that exploitation is possible if the CMS is configured to allow the uploading of .tar, .tar.gz, .bz2 or .tlz files. Last year, similar vulnerabilities related to the same PEAR library were fixed. The developers said that the current vulnerabilities are not related to last year, although the same configuration changes may alleviate the problem. One of the tips that experts give to users is to prohibit untrusted users from downloading archives with the above extensions.
Source: Security Week