The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see:
Exploits may be possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.Solution:
Install the latest version:
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.
Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability.Reported By: