Researchers at Trellix said they have patched nearly 62,000 open-source projects susceptible to a 15-year-old path traversal vulnerability in the Python ecosystem.

The bug, tracked under CVE-2007-4559, was discovered by Trellix’s team in Python’s tarfile module late last year. It was first reported to the Python project in 2007 but left unchecked, as it was deemed to be of low importance at the time.

Since then, its presence has greatly expanded. The bug reportedly affects approximately 350,000 open-source software projects and countless other closed-source software projects.

Kasimir Schulz, a vulnerability researcher for Trellix’s Threat Labs, described the discovery in a blog post. “While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially, we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.”

This particular vulnerability is a path traversal attack in the ‘extract’ and ‘extractall’ functions in the tarfile module. When exploited, it allows an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive.

Global supply chain issue

Trellix’s team assembled a distinct list of repositories to scan after obtaining a list of repositories and files containing the keyword “import tarfile” from GitHub.

The team then cloned and scanned each repository using a special app vulnerability-checking tool called Creosote, which was developed for this purpose.

“After analyzing files, Creosote will print out any files that may contain vulnerabilities, sorting them into 3 categories based on confidence level (Vulnerable, Probably Vulnerable, Potentially Vulnerable)”, Shulz explained.

After Creosote did its work, the team replaced the original file with a patched file if needed. “As we have demonstrated above, this vulnerability is incredibly easy to exploit, requiring little to no knowledge about complicated security topics”, Shulz said.

“Due to this fact and the prevalence of the vulnerability in the wild, Python’s tarfile module has become a massive supply chain issue threatening infrastructure around the world.”