Backdrop core - Critical - Arbitrary PHP code execution - BACKDROP-SA-CORE-2020-008

Date: Wednesday, Nov 25th, 2020
Security risk: Critical
Advisory ID: BACKDROP-SA-CORE-2020-008
CVE ID: CVE-2020-28948, CVE-2020-28949
Vulnerability: Arbitrary PHP code execution

Versions affected

Backdrop Core 1.17.x versions prior to 1.17.4
Backdrop Core 1.16.x versions prior to 1.16.6

Backdrop versions 1.15 and prior do not receive security coverage.

Description

The Backdrop CMS project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Backdrop. For more information please see the CVE's linked here.

Multiple vulnerabilities are possible if Backdrop is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2 or .tlz files.

Solution

Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.17.4 release page. See the update instructions, if needed.

Nick Onom
Marketing Project Manager

Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

Backdrop · Security

Backdrop core - Critical - Arbitrary PHP code execution - BACKDROP-SA-CORE-2020-008

Versions affected

Description

Solution

We value your opinion. Please add your feedback.