View online: https://www.drupal.org/sa-core-2020-012

Project: Drupal core [1]
Date: 2020-November-18
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Remote code execution

CVE IDs: CVE-2020-13671
Description: 
Drupal core does not properly sanitize certain filenames on uploaded files,
which can lead to files being interpreted as the incorrect extension and
served as the wrong MIME type or executed as PHP for certain hosting
configurations.

Solution: 
Install the latest version:

* If you are using Drupal 9.0, update to Drupal 9.0.8 [3]
* If you are using Drupal 8.9, update to Drupal 8.9.9 [4]
* If you are using Drupal 8.8 or earlier, update to Drupal 8.8.11 [5]
* If you are using Drupal 7, update to Drupal 7.74 [6]

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage.

Additionally, it’s recommended that you audit all previously uploaded files
to check for malicious extensions. Look specifically for files that include
more than one extension, like .php.txt or .html.gif.

Reported By: 
* ufku [7]
* Mark Ferree [8]
* Frédéric G. Marand [9]
* Samuel Mortenson [10] of the Drupal Security Team
* Derek Wright [11]

Fixed By: 
* Heine [12] of the Drupal Security Team
* ufku [13]
* Mark Ferree [14]
* Michael Hess [15] of the Drupal Security Team
* David Rothstein [16] of the Drupal Security Team
* Peter Wolanin [17] of the Drupal Security Team
* Jess [18] of the Drupal Security Team
* Frédéric G. Marand [19]
* Stefan Ruijsenaars [20]
* David Snopek [21] of the Drupal Security Team
* Rick Manelius [22]
* David Strauss [23] of the Drupal Security Team
* Samuel Mortenson [24] of the Drupal Security Team
* Ted Bowman [25]
* Alex Pott [26] of the Drupal Security Team
* Derek Wright [27]
* Lee Rowlands [28] of the Drupal Security Team
* Kim Pepper [29]
* Wim Leers [30]
* Nate Lampton [31]
* Drew Webber [32] of the Drupal Security Team
* Fabian Franz [33]
* Alex Bronstein [34] of the Drupal Security Team
* Neil Drumm [35] of the Drupal Security Team
* Joseph Zhao [36]
* Ryan Aslett [37]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/drupal/releases/9.0.8
[4] https://www.drupal.org/project/drupal/releases/8.9.9
[5] https://www.drupal.org/project/drupal/releases/8.8.11
[6] https://www.drupal.org/project/drupal/releases/7.74
[7] https://www.drupal.org/user/9910
[8] https://www.drupal.org/user/76245
[9] https://www.drupal.org/user/27985
[10] https://www.drupal.org/user/2582268
[11] https://www.drupal.org/user/46549
[12] https://www.drupal.org/user/17943
[13] https://www.drupal.org/user/9910
[14] https://www.drupal.org/user/76245
[15] https://www.drupal.org/user/102818
[16] https://www.drupal.org/user/124982
[17] https://www.drupal.org/user/49851
[18] https://www.drupal.org/user/65776
[19] https://www.drupal.org/user/27985
[20] https://www.drupal.org/user/551886
[21] https://www.drupal.org/user/266527
[22] https://www.drupal.org/user/680072
[23] https://www.drupal.org/user/93254
[24] https://www.drupal.org/user/2582268
[25] https://www.drupal.org/user/240860
[26] https://www.drupal.org/user/157725
[27] https://www.drupal.org/user/46549
[28] https://www.drupal.org/user/395439
[29] https://www.drupal.org/user/370574
[30] https://www.drupal.org/user/99777
[31] https://www.drupal.org/user/35821
[32] https://www.drupal.org/user/255969
[33] https://www.drupal.org/user/693738
[34] https://www.drupal.org/user/78040
[35] https://www.drupal.org/user/3064
[36] https://www.drupal.org/user/1987218
[37] https://www.drupal.org/user/391689

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news