DRUPAL-CORE-2020-013

DRUPAL-CORE-2020-013 PUBLISHED CVSS 8.800000190734863 HIGH

The Drupal project uses the PEAR Archive\_Tar library. The PEAR Archive\_Tar library has released a security update that impacts Drupal. For more information please see: * [CVE-2020-28948](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948) * [CVE-2020-28949](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949) Multiple vulnerabilities are possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processes them. **To mitigate this issue, prevent untrusted users from uploading `.tar`, `.tar.gz`, `.bz2`, or `.tlz` files.** This is a different issue than [SA-CORE-2019-012](https://www.drupal.org/sa-core-2019-012). Similar configuration changes may mitigate the problem until you are able to patch.

Risk Scores

CVSS v4.0

8.800000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
drupal	core	9.0.0, 8.1.2, 8.9.0

Timeline

Nov 25, 2020 CVE Published
Dec 10, 2025 CVE Updated

References

https://www.drupal.org/sa-core-2020-013 url

Open in Interactive Console →