Python vulnerability puts 350,000 open-source projects at risk

All applications and open-source projects using the Python terfile module are potentially vulnerable, according to cybersecurity company Trellix. Currently, 350,000 open-source projects and applications are at risk.

The vulnerability, which is traced as CVE-2007-4559, has a severity of 6.8 and was discovered in 2007. Trellix explained that hackers can exploit the vulnerability by uploading a malicious file generated with two or three lines of code using un-sanitized tarfile.extract or the built-in default settings of tarfile.extractall.

The researchers discovered hundreds of thousands of vulnerable GitHub repositories. They also discovered 2.87 million open-source files containing Python’s tarfile module in approximately 588,000 unique repositories with 61% (350,000) vulnerable.

The vulnerability could be exploited by hackers to execute arbitrary code or take control of the device. Kasimir Schulz, researcher at the Trellix Advanced Research Center, discovered the vulnerability. Schulz described the vulnerability as a path traversal attack in the extract and extractall functions found in the terfile module, which allow attackers to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR.

To protect against attacks, developers need to check the target directory to which the tarfile writes data, which will help ensure that data is only extracted to the directory intended by the developer. Trellix is also working on pushing code via GitHub pull request to protect open-source projects from the flaw.

The sources for this piece include an article in TechRepublic.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web