GHSA-98h9-727m-44qv: Drupal core Multiple vulnerabilities due to the use of the third-party library Archive_Tar

May 15, 2024

The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

References

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2019-12-18-4.yaml
github.com/advisories/GHSA-98h9-727m-44qv
github.com/drupal/core
www.drupal.org/sa-core-2019-012

Code Behaviors & Features

Detect and mitigate GHSA-98h9-727m-44qv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →