Python has not yet patched a vulnerability found back in 2007, according to a Trellix report. More than 350,000 open source projects are now under attack.
According to Bleeping Computer, due to the fact that it could not be eliminated for so long, it has penetrated several hundred thousand projects written in Python. CVE-2007-4559 was found in the tarfile package and is of type path traversal (directory traversal), meaning it allows an attacker to overwrite arbitrary files.
In 2007, the vulnerability was discovered but not fixed, and the only possible solution to the problem was considered updating the documentation, warning developers of the possible risk.
The remaining hole was noticed by Trellix specialists, who describe it as follows:
The vulnerability exists because the code in the extract function in the Python tarfile module trusts the information in the TarInfo object.
Trellix, whose experts discovered the vulnerability, has created its own tool called Creosote, which helps to search for CVE-2007-4559. It was with his help that researchers found a vulnerability in the Spyder Python IDE and Polemarch. In addition, Trellix experts have already patched over 11,000 projects. Researchers expect over 70,000 repositories to receive fixes in the next few weeks.