CVE-2020-28948

HIGH7.8EPSS 76.9%

drupal7 - security update

發布日:2020/11/25修改日:2026/3/9

也稱為:GHSA-75c5-f4gw-38r9 GHSA-jh5x-hfhg-78jqBIT-drupal-2020-28948BIT-drupal-2020-28949DEBIAN-CVE-2020-28948DLA-2466-1DRUPAL-CORE-2020-013

描述

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

受影響套件(9)

Bitnami/drupal>= 7.0.0, < 7.75.0, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.9
Bitnami/drupal>= 7.0.0, < 7.75.0, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.9
Debian/drupal7from 0, < 7.52-2+deb9u13
Debian/php-pearfrom 0, < 1:1.10.1+submodules+notgz-9+deb9u2
Debian/php-pearfrom 0, < 1:1.10.9+submodules+notgz-1.1
Debian/php-pearfrom 0, < 1:1.10.6+submodules+notgz-1.1+deb10u1
Packagist/drupal/core>= 8.0.0, < 8.8.12 | >= 8.9.0, < 8.9.10 | >= 9.0.0, < 9.0.9
Packagist/pear/archive_tarfrom 0, < 1.4.11
Packagist/pear/archive_tarfrom 0, < 1.4.11

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H

描述

受影響套件(9)

CVSS 分數

參考連結(31)