New versions of Drupal 7, 8.x and 9.x eliminate a security problem classified as critical by the Drupal team, based on a programming error in the class used by Drupal Archive_Tar from the PHP program library PEAR. There is an update for Archive_Tar, which consequently has also been incorporated into the Drupal core. Drupal users should switch to the secured versions.
Drupal can only be attacked to a limited extent
The vulnerability with the ID CVE-2021-32610 enables path traversal attacks using symbolic links, also known as symlinks. By entering certain URLs, attackers can gain unauthorized access to potentially confidential content during so-called path traversal. Which files or directories are specifically endangered in the case of Drupal is the Drupal Advisory SA-CORE-2021-004 however not to be found.
Drupal can only be attacked under certain conditions, emphasize the developers in the advisory: The symlinks required for an attack are not permitted within the framework of Archive_Tar usage by the Drupal core itself. However, your own program code or modules from third-party providers (“contrib or custom code”) could make the CMS a target – if Archive_Tar was used by this code to open tar archives from dubious sources.
Secured Drupal and Archive_Tar version (s)
The Drupal team recommends depending on the version series used Update to Drupal 7.82, 8.9.17, 9.1.11 or 9.2.2. The mentioned secured versions are linked in the advisory mentioned above.
The PEAR team made improvements against CVE-2021-32610 last Tuesday: Archive_Tar version 1.4.14 is available and should be used immediately by security-conscious developers.