15-Year-Old Unpatched Python Vulnerability Could Have an impact on 350,000+ Assignments

It is thought that as many as 350,000 open resource jobs could likely be exploited due to a safety flaw in a Python module that has not been patched for 15 years.

Open source repositories span a large array of industries together with computer software improvement, artificial intelligence/device finding out, web progress, media, safety, and IT management.

This flaw, tracked as CVE-2007-4559 (CVSS score: 6.8), is rooted in the tarfile module and can lead to code execution from arbitrary file writes if successfully exploited.

cyber security

Kasimir Schulz, a stability researcher at Trellix, stated: write up.

1st printed in August 2007, this bug includes the use of specifically crafted tar archives to overwrite arbitrary data files on the target machine basically by opening the file.

https://www.youtube.com/check out?v=bpVmMlUgPJM

Simply just put, a threat actor can exploit the vulnerability by uploading a destructive tarfile, escaping the listing to which the files are extracted and making it possible for them to execute code, providing the attacker manage of the goal. may perhaps be stolen. machine.

“Do not extract archives from untrusted resources without having prior inspection,” suggests the Python documentation for the tarfile. “Information may perhaps be developed exterior the path. For example, members with absolute filenames starting with ‘https://information.google.com/’ or filenames made up of two dots ‘..’ this kind of as users with ”

cyber security

This vulnerability is also reminiscent of the a short while ago disclosed remote code execution vulnerability in RARlab’s UnRAR utility (CVE-2022-30333).

Trellix has also produced a personalized utility identified as Creosote that scans assignments vulnerable to CVE-2007-4559 and utilized it to uncover vulnerabilities in the Spyder Python IDE and Polemarch.

See also  New Tales from the Borderlands - Trailer Launched | gamescom 2022

Douglas McKee claims:

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.