15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects - The Hacker News
The shortcoming, tracked as CVE-2007-4559 (CVSS score: 6.8), is rooted in the tarfile module, successful exploitation of which could lead to code execution from an arbitrary file write."The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a TAR archive," Trellix security researcher Kasimir Schulz said in a writeup.Originally disclosed in August 2007, the bug has to do with how a specially crafted tar archive can be leveraged to overwrite arbitrary files on a target machine simply upon opening the file.