Date:
Wednesday, Jan 27th, 2021
Advisory ID:
BACKDROP-SA-CORE-2021-001
Security risk:
Critical
Vulnerability:
Third Party Libraries
CVE ID:
Versions affected:
- Backdrop Core 1.18.x versions prior to 1.18.1
- Backdrop Core 1.17.x versions prior to 1.17.6
Backdrop versions 1.16 and prior do not receive security coverage.
Description:
The Backdrop project uses the pear Archive_Tar library, which has released a security update that impacts Backdrop. For more information please see:
Exploits may be possible if Backdrop is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them, or if the Installer module is enabled.
Solution:
Upgrade your site to the most recent version of Backdrop core. Download available on the Backdrop CMS 1.18.1 release page. See the update instructions, if needed.
Reported By:
Fixed By:
- Lee Rowlands of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Vijay Mani Provisional Member of the Drupal Security Team
- Jess of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Jen Lampton of the Backdrop CMS Security Team