Python Vulnerability Puts 350,000 Open Source Projects At Danger

Concerns regarding the software supply chain are raised by a 15-year-old Python tarfile module vulnerability.
SIA Team
September 24, 2022

The Python tarfile module could be dangerous for all programs that utilize it, according to a statement made on Wednesday, September 21, 2022 by cybersecurity company Trellix.

Trellix said that 350,000 open-source projects and the applications that use them are at risk of device takeover or malicious code execution due to a known Python vulnerability. 

The Netflix, AWS, Intel, Facebook, and Google frameworks, as well as programs for machine learning, automation, and Docker containerization, all make extensive use of the Python tarfile module, Trellix said. 

According to Trellix, hackers who gain access to a device have the ability to take control of it or execute arbitrary code on it.

In 2007, a medium risk score of 6.8 out of 10 was assigned to the vulnerability, CVE-2007-4559, when it was first identified. Reportedly, by using un-sanitized tarfile.extract or the built-in defaults of tarfile.extractall, it can be attacked by uploading a malicious file created with two or three lines of code.

Meanwhile, Doug McKee, a lead engineer and director of vulnerability research at Trellix, claims that the vulnerability has not yet been used in the wild. The quantity of live programs using the tarfile module is similarly unknown. He asserted that no scanners were looking for the vulnerability.