Drupal is a free, open source software that can be used to easily create and manage many types of Web sites. Drupal also includes a Content Management Platform and a development framework. A set of critical vulnerabilities was identified and fixed in Drupal, the most severe of which could allow an attacker to overwrite sensitive files on a targeted server. Drupal has also pointed out that a proof of concept code exists for the vulnerability and could soon be incorporated in wide-spread attacks considering the popularity of Drupal websites.

Highly Critical Vulnerabilities

  • SA-CORE-2019-012 patches multiple highly critical vulnerabilities affecting a third party library Archive_Tar, used by Drupal in certain configurations. The vendor states that multiple vulnerabilities are possible when Drupal is configured to allow upload and processing of  .tar, .tar.gz, .bz2 or .tlz files. An attacker can exploit this vulnerability to overwrite sensitive files by uploading maliciously crafted .tar files.

Moderately Critical Vulnerabilities

  • SA-CORE-2019-009 : A flaw exists in install.php which can be used by an unauthenticated attacker to corrupt the cached data, leading to a denial of service condition caused by impairment of a site until the caches are rebuilt. Drupal suggests blocking access to install.php if it is not required.
  • SA-CORE-2019-010 : Multiple flaws reside in file_save_upload() function which can allow an attacker with the ability to upload files to bypass security protections by overwriting arbitrary files such as .htaccess . This bug exists because the file_save_upload() function does not strip the leading and trailing dot (‘.’) from filenames.
  • SA-CORE-2019-011 : A flaw exists in the Media Library module which allows attackers with low privileges to gain unauthorized access to sensitive data. This vulnerability arises due to improper restrictions on access to media files in certain configurations.

Affected Products

Drupal versions 7.x before 7.69, 8.7.x before 8.7.11, 8.8.x before 8.8.1


An attacker can upload malicious files to overwrite sensitive files, bypass security restrictions, gain unauthorized access to sensitive data and cause denial of service condition.


Upgrade to Drupal 7.69, 8.7.11, or 8.8.1 or later.


Critical Vulnerabilities in Drupal
Article Name
Critical Vulnerabilities in Drupal
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *