It is estimated that up to 350,000 open-source projects might be compromised as a result of a loophole in a Python module that has not been fixed in 15 years.
Open-source repositories span a wide range of industries, including software development, artificial intelligence/machine learning, web development, media, security, and IT management.
This flaw, tracked as CVE-2007-4559 (CVSS score: 6.8), is rooted in the tarfile module and can lead to code execution from arbitrary file writes if successfully exploited.
First published in August 2007, this bug involves using specially crafted tar archives to overwrite arbitrary files on the target machine simply by opening the file. Simply put, a threat actor can exploit the vulnerability by uploading a malicious tarfile, escaping the directory to which the files are extracted and allowing them to execute code, giving the attacker control of the target.
A criticism that has been launched from the department that has been carrying out this investigation, Trellix, has been that it seems that nobody cares about the proper use of Python. Apparently, the tutorials that allow users to get the most out of this programming language are not adequate and there are several errors that should be corrected so that correct protection measures can be taken.
Currently, it is the Trellix department that has not only made the Python security bug news again, but is launching a series of actions to try to resolve it. Its first goal is to protect open-source projects from CVE-2007-4559, the directory where the TAR file vulnerability has been discovered and confirmed.
The second goal is to offer developers a completely free tool that will be at their disposal so that they can carry out the appropriate checks to know if their projects are at risk. This will be very useful for them to be able to measure the threats and take measures to keep them safe. This way, you will avoid unwanted surprises and the loss of all your work.
Earlier it was reported that Python returned to the first line in the ranking of the most popular programming languages ​​compiled by Tiobe. Programmers were more interested in Python than in C, C++, or Java.