All applications and open-source projects using the Python terfile module are potentially vulnerable, according to cybersecurity company Trellix. Currently, 350,000 open-source projects and applications are at risk.
The vulnerability, which is traced as CVE-2007-4559, has a severity of 6.8 and was discovered in 2007. Trellix explained that hackers can exploit the vulnerability by uploading a malicious file generated with two or three lines of code using un-sanitized tarfile.extract or the built-in default settings of tarfile.extractall.
The researchers discovered hundreds of thousands of vulnerable GitHub repositories. They also discovered 2.87 million open-source files containing Python’s tarfile module in approximately 588,000 unique repositories with 61% (350,000) vulnerable.
The vulnerability could be exploited by hackers to execute arbitrary code or take control of the device. Kasimir Schulz, researcher at the Trellix Advanced Research Center, discovered the vulnerability. Schulz described the vulnerability as a path traversal attack in the extract and extractall functions found in the terfile module, which allow attackers to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR.
To protect against attacks, developers need to check the target directory to which the tarfile writes data, which will help ensure that data is only extracted to the directory intended by the developer. Trellix is also working on pushing code via GitHub pull request to protect open-source projects from the flaw.
The sources for this piece include an article in TechRepublic.