6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.936 High
EPSS
Percentile
99.1%
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949 Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them. To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files. This is a different issue than SA-CORE-2019-012. Similar configuration changes may mitigate the problem until you are able to patch.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949
www.drupal.org/node/1173280
www.drupal.org/project/drupal/releases/7.75
www.drupal.org/project/drupal/releases/8.8.12
www.drupal.org/project/drupal/releases/8.9.10
www.drupal.org/project/drupal/releases/9.0.9
www.drupal.org/sa-core-2019-012
www.drupal.org/user/102818
www.drupal.org/user/255969
www.drupal.org/user/3064
www.drupal.org/user/3564081
www.drupal.org/user/395439
www.drupal.org/user/65776
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.936 High
EPSS
Percentile
99.1%