22 September 2022

Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects


Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

An old, unpatched bug in the Python programming language potentially affects roughly 350,000 open-source projects and several closed-source projects, inadvertently creating a vast software supply chain attack surface, researchers at cybersecurity company Trellix warn.

Tracked as CVE-2007-4559, the vulnerability is a path traversal issue that resides in the Python tarfile module which is a default module in any project using Python. The flaw is extremely easy to exploit, the researchers say. By uploading a malicious file generated with two or three lines of simple code an attacker can achieve arbitrary code execution, or take over target device.

Initially, the vulnerability was disclosed back in 2007 but it still remains unpacthed, although Python added a warning about the risks of using the tarfile function in its documentation, cautioning developers never to “extract archives from untrusted sources without prior inspection” due to the directory traversal issue.

The Python tarfile module is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation and docker containerization.

“When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact,” Trellix said. “This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”

The company said it is working to push code via GitHub pull request to protect open-source projects from the vulnerability.

Back to the list

Latest Posts

Cyber Security week in review: December 2, 2022

Cyber Security week in review: December 2, 2022

The world in brief: Samsung, LG, Mediatek certificates used to sign Android malware, researchers detail new exploit framework, and more.
2 December 2022
Security researchers unintentionally crash KmsdBot botnet

Security researchers unintentionally crash KmsdBot botnet

The malware lacked an error-checking mechanism, which allowed the researchers to deactivate it.
1 December 2022
New Heliconia framework exploits n-day flaws in Chrome, Firefox and Microsoft Defender

New Heliconia framework exploits n-day flaws in Chrome, Firefox and Microsoft Defender

The researchers have linked the framework to a Spain-based software company.
1 December 2022