Security advisories: Drupal core – Critical – Third-party libraries – SA-CORE-2021-001

Project: 
Date: 
2021-January-20
Vulnerability: 
Third-party libraries
Description: 
The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see:

Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

Solution: 

Install the latest version:

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability.

Fixed By: