Trellix researchers discovered that more than 350,000 open-source projects are vulnerable to an unaddressed 15-year-old flaw in Python's tarfile module, according to The Register.
Threat actors could exploit the flaw, tracked as CVE-2007-4559, to facilitate file overwriting and hijacking upon the opening of a malicious tar archive through tarfile, said Jan Matejek, who first identified the bug.
"The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a tar archive," said Trellix researcher Kasimir Schulz. Availability of the repaired code is already being worked on by Trellix.
"Using our tools, we currently have patches for 11,005 repositories, ready for pull requests. Each patch will be added to a forked repository and a pull request made over time... Due to the size of vulnerable projects we expect to continue this process over the next few weeks. This is expected to hit 12.06 percent of all vulnerable projects, a little over 70K projects by the time of completion," Trellix researcher Charles McFarland added.
Okta had 4,961 current and former employees' data, including names, health insurance plan numbers, and Social Security numbers, compromised following a breach at its third-party vendor Rightway Healthcare, reports The Register.
Optimizing AppSec: A Deep Dive into ASPM’s Risk-Based Approach
Reducing silos between Developers and AppSec in your Software Supply Chain with Snyk and ServiceNow
Perfecting the third-party lifecycle: Conquering risk in every phase
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news