• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
up to 350,000 open source projects vulnerable to 15 year old python

Up to 350,000 open source projects vulnerable to 15-year-old Python bug

You are here: Home / General Cyber Security News / Up to 350,000 open source projects vulnerable to 15-year-old Python bug
January 24, 2023

Bigstock

A 15-year-previous Python vulnerability has been found to have impacted hundreds of thousands of open source projects more than its lifespan.

The vulnerability, tracked as CVE-2007-4559, is a route traversal attack in the extract and extractall features found in the Python tarfile module. Scientists at Trellix warned that, if exploited, it could permit an attacker to overwrite arbitrary files in a TAR archive.  

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Trellix claimed that scientists initially thought they had identified a new zero-day vulnerability upon encountering the flaw. Having said that, a subsequent investigation previous yr observed it dated back to 2007.  

The bug was considered to be of reduced relevance at the time. However, Trellix warned that it was observed to be present in additional than 350,000 open source projects and in an undisclosed quantity of closed-resource jobs. 

“Late final yr, the Trellix Sophisticated Exploration Centre staff uncovered a vulnerability in Python’s tarfile module. As we dug in, we realised this was CVE-2007-4559 – a 15-yr-outdated route traversal vulnerability with prospective to enable an attacker to overwrite arbitrary documents,” explained Douglas McKee, director of vulnerability research at Trellix. 

“CVE-2007-4559 was claimed to the Python project in 2007, and still left unchecked, experienced been unintentionally added to an believed 350,000 open source jobs and commonplace in closed source tasks.” 

McKee extra that the vulnerability is “firmly embedded in the source chain of several projects” and stays common.  

The Python bug is considered to have been present in frameworks created by Google, Intel, and Amazon Web Expert services (AWS), highlighting the two its longevity and prospective critical risk.  

GitHub collaboration 

Because the discovery of the bug, Trellix claimed it has labored extensively with GitHub to issue a correct.  

Nearly 62,000 susceptible open up supply initiatives have been patched to date, McKee discovered.  

“To correctly minimise the vulnerability area place, Trellix Innovative Analysis Centre executed a months-long effort to patch open up resource projects identified to use the susceptible code,” he mentioned.  

“Through GitHub, builders and neighborhood customers are able to thrust code to projects or repositories on the system by means of a process known as pull ask for. After a request is opened, the venture maintainers overview the suggested code, ask for collaboration or clarification if desired, and settle for the new code.” 

Upon getting a list of repositories and files that contained the key phrase ‘import tarfile’, McKee reported scientists were capable to compile a record of repositories to scan applying the Creosote vulnerability resource.  

“If a repository was decided to have the vulnerability, we patched the file and developed a community patch diff that contains the patched file so buyers can very easily review the two files, the initial file, and some metadata about the repository,” he extra.

Open supply vulnerabilities 

Open up supply vulnerabilities have been a recurring issue for corporations globally in recent many years. Investigation from Anaconda final yr found that organisations scaled back again their use of open source software across 2021 and 2022 amidst security considerations.  

Practically one-3rd (31%) of respondents to Anaconda’s study mentioned that security vulnerabilities were the number a person obstacle in the open resource neighborhood.  

In May possibly 2022, security specialists uncovered vulnerabilities in two preferred open resource deals, Python CTX and PHP’s phpass.

If exploited, the vulnerabilities could have enabled attackers to start program supply chain hacks which harvested AWS cloud qualifications. 

McKee warned that wonderful collaboration is demanded throughout the open supply community to eliminate critical vulnerabilities. 

“As an market, we can not manage to disregard the want to find out and eradicate foundational vulnerabilities,” he claimed. “Mass patching of open source assignments can be completed, even if it takes a ton of time, and it can deliver gains to organisations of all measurements, throughout sectors and locations.” 

McKee added that to “properly prevent the reintroduction of past attack surfaces”, organisations using code libraries and frameworks in their applications conduct regular checks and put into action strong evaluation measures to improve offer chain transparency.  


Some pieces of this report are sourced from:
www.itpro.co.uk

Previous Post: «emotet malware makes a comeback with new evasion techniques Emotet Malware Makes a Comeback with New Evasion Techniques
Next Post: Security Navigator Research: Some Vulnerabilities Date Back to the Last Millennium security navigator research: some vulnerabilities date back to the last»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
  • CTEM is the New SOC: Shifting from Monitoring Alerts to Measuring Risk
  • Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
  • New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes
  • AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar
  • Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
  • Non-Human Identities: How to Address the Expanding Security Risk
  • ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Copyright © TheCyberSecurity.News, All Rights Reserved.