The install.php file used by Drupal 8 Core contains a flaw that can be exploited by a remote, unauthenticated attacker to impair the availability of a targeted website by corrupting its cached data. The file upload function in Drupal 8 does not strip leading and trailing dot (‘.’) from filenames, which can be used by an attacker with file upload ability to overwrite arbitrary system files. The vulnerability resides in the way the affected library untar archives with symlinks which, if exploited, could allow an attacker to overwrite sensitive files on a targeted server by uploading a maliciously crafted tar file.
Source: https://thehackernews.com/2019/12/drupal-website-hacking.html