News/Tech News

Unpatched Python vulnerability affects over 350,000 projects

Published on Sep 26, 2022

A Python module that has remained unpatched for 15 years has a security flaw that may expose 350,000 open source projects to exploitation.

There are open source repositories for software development, artificial intelligence/machine learning, web development, media, security, and IT management.

An arbitrary file write could lead to code execution through CVE-2007-4559 (CVSS score: 6.8), a vulnerability in the tarfile module.

According to Trellix security researcher Kasimir Schulz, the vulnerability can be exploited by adding the ‘..’ sequence to filenames in a TAR archive to overwrite arbitrary files.

A specially crafted tar archive can be leveraged to overwrite arbitrary files on a target machine simply by opening it.

A threat actor can exploit the weakness by uploading a malicious tarfile and escaping the directory where the file is intended to be extracted, allowing the adversary to obtain control of the target device.

The Python documentation for tarfile warns against extracting archives from untrusted sources. There is a possibility that files will be created outside of path, such as members with absolute filenames starting with ‘/’ or files with two dots ‘..’.”

Additionally, the vulnerability is similar to a recently disclosed security flaw in RARlab’s UnRAR utility (CVE-2022-30333).

Trellix has released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, which was used to discover the vulnerability in the Spyder Python IDE and Polemarch.

“Unchecked, this vulnerability has unintentionally been added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface,” Douglas McKee explained.

Tech News

Firefox 105 0 1 is launched

Firefox 105.0.1 is launched, and focus is restored

A minor update to Mozilla’s Firefox web browser will be released later today, restoring the original startup focus behaviour…


Cloud-focused Eclipse Jakarta EE upgrade

Java EE 10 focuses on building modern, simplified, and lightweight cloud-native Java applications, including a Core Profile for microservices…

Our Latest Blog

Unlock Your Potential with a Level 5 Diploma in Business London's Top Courses img

Unlock Your Potential with a Level 5 Diploma in Business: London’s Top Courses

Are you looking to enhance your knowledge and skills in the field of business? Do...
Read More
Unlock Your Potential with Level 4 Diploma in Business Courses in London img

Unlock Your Potential with Level 4 Diploma in Business Courses in London

Are you looking for a comprehensive course to take your business career to the next...
Read More

Follow Us


Browse LSET presentations to understand interesting…

Explore Now

Get complete guides to empower yourself academically…

Explore Now

Learn about information technology and business…

Explore Now