Drupal released a security advisory on January 20th to address a critical vulnerability within a third-party library. This library comes from PHP’s PEAR, which describes itself as “a framework and distribution system for reusable PHP components.” Drupal’s advisory states that the project uses Archive_Tar from the PEAR framework to process .tar, .tar.gz, .bz2 and .tlz archive uploads. The Drupal vulnerability is tracked as CVE-2020-36193 and could allow for directory traversal when extracting files due to improper checking of symbolic links. A specially crafted archive could then have its content extracted outside of the intended directory, potentially then serving malicious content on the website. CVE-2020-36193 is related to CVE-2020-28948 which affects versions of Archive_Tar up to and including version 1.14.10.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security