¡¾Îó²îͨ¸æ¡¿DrupalĿ¼±éÀúÎó²î£¨CVE-2020-36193£©

Ðû²¼Ê±¼ä 2021-01-22

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2020-36193

ʱ   ¼ä

2021-01-22

Àà  ÐÍ

Ŀ¼±éÀú

µÈ   ¼¶

ÑÏÖØ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


 

0x01 Îó²îÏêÇé

image.png

 

DrupalÊÇPHP±àдµÄ¿ªÔ´ÄÚÈÝÖÎÀí¿ò¼Ü£¨CMF£© £¬£¬£¬£¬£¬ £¬ËüÓÉÄÚÈÝÖÎÀíϵͳ£¨CMS£©ºÍPHP¿ª·¢¿ò¼Ü£¨Framework£©ÅäºÏ×é³É¡£¡£¡£PEARÈ«³ÆΪPHPÀ©Õ¹ÓëÓ¦Óÿ⠣¬£¬£¬£¬£¬ £¬ËüÊÇÒ»¸öPHPÀ©Õ¹¼°Ó¦ÓõÄÒ»¸ö´úÂë¿ÍÕ»¡£¡£¡£

2021Äê1ÔÂ20ÈÕ,DrupalÐû²¼Ç徲ͨ¸æ £¬£¬£¬£¬£¬ £¬DrupalÖб£´æÒ»¸öĿ¼±éÀúÎó²î£¨CVE-2020-36193£© £¬£¬£¬£¬£¬ £¬¹Ù·½ÆÀ¼¶ÎªÑÏÖØ¡£¡£¡£ÏêÇéÈçÏ£º

DurpalʹÓõÄPEAR Archive_TarÊÇÒ»¿îÓÃÓÚÔÚPHPÖн¨Éè¡¢ÌáÈ¡ºÍÁгötarÎļþµÄ¹¤¾ßÀà¡£¡£¡£ÓÉÓÚArchive_TarÔÚ´¦Öóͷ£Èç.tar¡¢.tar.gz¡¢.bz2»ò.tlzµÈÃûÌõÄѹËõ°üʱ¹ýÂ˲»ÑÏ£¨Îó²î×·×ÙΪCVE-2020-28948£© £¬£¬£¬£¬£¬ £¬ÇÒArchive_TarÖеÄTar.php¶Ô·ûºÅÁ´½Ó¼ì²é²»³ä·Ö £¬£¬£¬£¬£¬ £¬¹¥»÷Õß¿ÉÒÔͨ¹ýÉÏ´«°üÀ¨·ûºÅÁ´½ÓµÄѹËõ°üÀ´Ê¹ÓôËÎó²î £¬£¬£¬£¬£¬ £¬×îÖÕµ¼ÖÂĿ¼±éÀú»òÔ¶³Ì´úÂëÖ´ÐС£¡£¡£

Ó°Ïì¹æÄ£

Drupal < 9.1.3

Drupal < 9.0.11

Drupal < 8.9.13

Drupal < 7.78

 

 

0x02 ´¦Öóͷ£½¨Òé

ÏÖÔÚ £¬£¬£¬£¬£¬ £¬DrupalÍŶÓÒѾ­ÐÞ¸´ÁË´ËÎó²î £¬£¬£¬£¬£¬ £¬½¨ÒéʵʱÉý¼¶ÖÁÈçÏ°汾£º

ÊÜÓ°Ïì°æ±¾

ÐÞ¸´°æ±¾

ÏÂÔØÁ´½Ó

Drupal<

9.1.3

Drupal 9.1.3

https://ftp.drupal.org/files/projects/drupal-9.1.3.tar.gz

https://ftp.drupal.org/files/projects/drupal-9.1.3.zip

Drupal<

9.0.11

Drupal 9.0.11

https://ftp.drupal.org/files/projects/drupal-9.0.11.tar.gz

https://ftp.drupal.org/files/projects/drupal-9.0.11.zip

Drupal<

8.9.13

Drupal 8.9.13

https://ftp.drupal.org/files/projects/drupal-8.9.13.tar.gz

https://ftp.drupal.org/files/projects/drupal-8.9.13.zip

Drupal< 7.78

Drupal 7.78

https://ftp.drupal.org/files/projects/drupal-7.78.tar.gz

https://ftp.drupal.org/files/projects/drupal-7.78.zip

 

 

0x03 ²Î¿¼Á´½Ó

https://www.drupal.org/sa-core-2021-001

/new_type/aqtg/20201126/22124.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193

0x04 ʱ¼äÏß

2021-01-20  DrupalÐû²¼Ç徲ͨ¸æ

2021-01-22  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png