Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012

Project: Drupal coreVersion: 8.8.x-dev8.7.x-dev7.x-devDate: 2019-December-18Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Proof/TD:UncommonVulnerability: Multiple vulnerabilitiesDescription: The Drupal project uses the third-party library Archive_Tar, which has released a security update that impacts some Drupal configurations.
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.
The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities.Solution: Install the latest version:

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.Reported By: 

Fixed By: 

Path to article https://www.drupal.org/sa-core-2019-012