22 September 2022

Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects


Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

An old, unpatched bug in the Python programming language potentially affects roughly 350,000 open-source projects and several closed-source projects, inadvertently creating a vast software supply chain attack surface, researchers at cybersecurity company Trellix warn.

Tracked as CVE-2007-4559, the vulnerability is a path traversal issue that resides in the Python tarfile module which is a default module in any project using Python. The flaw is extremely easy to exploit, the researchers say. By uploading a malicious file generated with two or three lines of simple code an attacker can achieve arbitrary code execution, or take over target device.

Initially, the vulnerability was disclosed back in 2007 but it still remains unpacthed, although Python added a warning about the risks of using the tarfile function in its documentation, cautioning developers never to “extract archives from untrusted sources without prior inspection” due to the directory traversal issue.

The Python tarfile module is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation and docker containerization.

“When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact,” Trellix said. “This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”

The company said it is working to push code via GitHub pull request to protect open-source projects from the vulnerability.

Back to the list

Latest Posts

Cyber security week in review: September 23, 2022

Cyber security week in review: September 23, 2022

The world in brief: Cryptomarket maker Wintermute robbed of $160M in a hack, old Python bug potentially affects 350,000 open-source projects, and more.
23 September 2022
Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

The vulnerable Python tarfile module is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google and other software.
22 September 2022
Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

The researchers said they discovered three variants of malicious scripts hidden within GTM containers that function either as e-skimmers or as downloaders for installing e-skimmers.
21 September 2022