15-year-old vulnerability discovered in Python: Hundreds of thousands of open source projects affected
At least 350,000 open source projects may be affected by a vulnerability in a Python module that has been open for 15 years.
A previously undiscovered vulnerability in a module of the widely used programming tool Python may have been incorporated into at least 350,000 open source projects over the past several years.
The vulnerability has been open for 15 years without being discovered.
Over all these years, the module in which it resides has been used in hundreds of thousands of open source projects.
The vulnerability is found in the so-called Tarfile module, which in Python is used to read and write compressed file packages – the so-called tar archives.
The vulnerability has been discovered by the security company Trellix, who initially thought it was a 0-day vulnerability.
Instead, it turned out to be a 5,500-day vulnerability dating all the way back to August 24, 2007.
It has been named CVE-2007-4559.
Trellix has built a free tool called Creosote, which you can use to scan for vulnerabilities in your open source projects.
You find Creosote on GitHub here.
According to Trellix, it is found in more than 350,000 open-source projects and the same number of closed-source projects.’
Tarfile is the default module in Python and is used in, among other things, frameworks at AWS, Facebook, Google and Intel and in a number of applications for machine learning and automation as well as in Docker containers.