Drupal Core announced multiple critical vulnerabilities that impact some of its configurations for versions: 8.8.x-dev, 8.7.x-dev, and 7.x-dev.

The Drupal project uses the third-party library Archive_Tar, which released a security update – SA-CORE-2019-012, according to a Dec. 18 advisory.

Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.

The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.

Drupal also advises users to install the latest versions:

In addition, updating to the Drupal 7.x core release will apply the fixes for all the below: