The Backdrop CMS project uses the third-party library Archive_Tar, which has released a security update that impacts some Backdrop configurations.
Multiple vulnerabilities are possible if Backdrop is configured to allow
.tlz file uploads, and processes them.
The latest versions of Backdrop update
Archive_Tar to 1.4.9 to mitigate these file processing vulnerabilities.
- Backdrop Core 1.14.x versions prior to 1.14.2
- Backdrop Core 1.13.x versions prior to 1.13.5