It is thought that as many as 350,000 open resource jobs could likely be exploited due to a safety flaw in a Python module that has not been patched for 15 years.
Open source repositories span a large array of industries together with computer software improvement, artificial intelligence/device finding out, web progress, media, safety, and IT management.
This flaw, tracked as CVE-2007-4559 (CVSS score: 6.8), is rooted in the tarfile module and can lead to code execution from arbitrary file writes if successfully exploited.
Kasimir Schulz, a stability researcher at Trellix, stated: write up.
1st printed in August 2007, this bug includes the use of specifically crafted tar archives to overwrite arbitrary data files on the target machine basically by opening the file.
Simply just put, a threat actor can exploit the vulnerability by uploading a destructive tarfile, escaping the listing to which the files are extracted and making it possible for them to execute code, providing the attacker manage of the goal. may perhaps be stolen. machine.
“Do not extract archives from untrusted resources without having prior inspection,” suggests the Python documentation for the tarfile. “Information may perhaps be developed exterior the path. For example, members with absolute filenames starting with ‘https://information.google.com/’ or filenames made up of two dots ‘..’ this kind of as users with ”
This vulnerability is also reminiscent of the a short while ago disclosed remote code execution vulnerability in RARlab’s UnRAR utility (CVE-2022-30333).
Trellix has also produced a personalized utility identified as Creosote that scans assignments vulnerable to CVE-2007-4559 and utilized it to uncover vulnerabilities in the Spyder Python IDE and Polemarch.
Douglas McKee claims: