CVE-2020-28948

HIGH7.8EPSS 76.9%

drupal7 - security update

Published: 11/25/2020Modified: 3/9/2026

Also known as:GHSA-75c5-f4gw-38r9 GHSA-jh5x-hfhg-78jqBIT-drupal-2020-28948BIT-drupal-2020-28949DEBIAN-CVE-2020-28948DLA-2466-1DRUPAL-CORE-2020-013

Description

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Affected packages (9)

Bitnami/drupal>= 7.0.0, < 7.75.0, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.9
Bitnami/drupal>= 7.0.0, < 7.75.0, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.9
Debian/drupal7from 0, < 7.52-2+deb9u13
Debian/php-pearfrom 0, < 1:1.10.1+submodules+notgz-9+deb9u2
Debian/php-pearfrom 0, < 1:1.10.9+submodules+notgz-1.1
Debian/php-pearfrom 0, < 1:1.10.6+submodules+notgz-1.1+deb10u1
Packagist/drupal/core>= 8.0.0, < 8.8.12 | >= 8.9.0, < 8.9.10 | >= 9.0.0, < 9.0.9
Packagist/pear/archive_tarfrom 0, < 1.4.11
Packagist/pear/archive_tarfrom 0, < 1.4.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

Description

Affected packages (9)

CVSS scores

References (31)