Thousands of projects might be left vulnerable due to this ancient Python security flaw

Thousands of projects might be left vulnerable due to this ancient Python security flaw ...

Researchers have discovered a somewhat unknown Python security flaw, which has resulted in the development of several hundred thousand projects being risked from code execution.

Trellix''s cybersecurity experts have recently discovered (opens in a new tab) CVE-2007-4559, a flaw in the Python tarfile package, which was first discovered back in 2007.

Until then, the flaw never received a patch, but rather a security bulletin.

Identifying vulnerable projects

The purpose of this vulnerability is in code that uses the un-sanitized tarfile.extract() function or the built-in limitations of tarfileextractall(). It''s a path traversal bug that allows an attacker to overwrite arbitrary files, according to the publication.

Researchers claim that the flaw prevents a bad actor from accesing the file system. It was updated with a closed issue, with a further addition that it might be dangerous to extract archives from unknown sources. Both the flaw is abusable on Windows and on Linux, according to authorities.

Fiveteen years ago, and apparently, around 350,000 projects might be limited. Trellixs researchers first took a sample of 257 repositories (61%) were vulnerable. An automated analysis came back with a 65% positive rate.

Trellixs researchers discovered 588,840 unique repositories that include import tarfile in its Python code, bringing them to the conclusion that 350,000 people (about 61%) might be vulnerable.

The problem is present in a wide variety of industries, according to new research. Unsurprisingly, the development (opens in a new tab) sector is the most impacted one, followed by web and machine learning technologies.

About 11,000 projects have been fixed as a fork of the affected repository, according to Trellixs researchers. These patches will be added to the main project via pull request at a later date, it was added. Another 70,000 projects should receive their fixes within a few weeks, but it will take a while.