The vulnerability is caused by two bugs in the PEAR Archive_Tar library used by the content management system. The vulnerability can be exploited if the CMS is configured to allow and process file uploads. Over 944,000 websites are using vulnerable Drupal versions. The Department of Homeland Security has also issued an alert urging admins and users to upgrade to the patched versions of the CMS. The company recommends installing the following updates on affected servers: Drupal 9.0, Drupal 8.9.10 or earlier users should update to.
Source: https://www.bleepingcomputer.com/news/security/drupal-issues-emergency-fix-for-critical-bug-with-known-exploits/