Newer versions of Drupal 7, 8.x and 9.x eliminate a security issue classified as critical by the Drupal team, based on a programming bug in the class using Drupal Archive_thar PEAR from the PHP Program Library. Archive_dor has an update, and as a result is integrated into the Drupal hub. Drupal users must switch to protected versions.
Drupal can only be attacked to a certain extent
The vulnerability of the CVE-2021-32610 ID is that it activates attacks that travel the path using code links also known as simlinks. By entering certain URLs, attackers can gain unauthorized access to confidential content when they are called travelers. Any files or directories are particularly vulnerable in the case of Drupal Drupal-Advisory SA-CORE-2021-004 Not found though.
Drupal can only be attacked under certain conditions, and the developers should be advised: Simlings required for the attack are not allowed within the framework of the Drupal core archive application. However, modules from your own program code or from third-party providers (“contribution or custom code”) may target CMS – if this code is used to open tar archives from suspicious sources.
Secure Drupal and Archive_Tar version (s)
The Drupal panel recommends depending on the version series used Update to Drupal 7.82, 8.9.17, 9.1.11 or 9.2.2. The protected versions mentioned are attached in the advice mentioned above.
The PEAR team made improvements against CVE-2021-32610 last Tuesday: Archive_thar version 1.4.14 is available Should be used immediately by security conscious developers.
“Avid writer. Subtly charming alcohol fanatic. Total twitter junkie. Coffee enthusiast. Proud gamer. Web aficionado. Music advocate. Zombie lover. Reader.”