GHSA-98h9-727m-44qv – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=7.0.0 <7.69 || >=8.0.0 <8.7.11 || >=8.8.0 <8.8.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar The Drupal project uses the third-party library [Archive_Tar](https://pear.php.net/package/Archive_Tar/), which has released a security improvement that is needed to protect some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

Metadata

Created: 2024-05-15T20:45:28Z
Modified: 2024-05-15T20:45:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-98h9-727m-44qv/GHSA-98h9-727m-44qv.json
CWE IDs: []
Alternative ID: N/A
Finding: F410
Auto approve: 1