Trellix researchers discovered that more than 350,000 open-source projects are vulnerable to an unaddressed 15-year-old flaw in Python's tarfile module, according to The Register.
Threat actors could exploit the flaw, tracked as CVE-2007-4559, to facilitate file overwriting and hijacking upon the opening of a malicious tar archive through tarfile, said Jan Matejek, who first identified the bug.
"The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the '..' sequence to filenames in a tar archive," said Trellix researcher Kasimir Schulz. Availability of the repaired code is already being worked on by Trellix.
"Using our tools, we currently have patches for 11,005 repositories, ready for pull requests. Each patch will be added to a forked repository and a pull request made over time... Due to the size of vulnerable projects we expect to continue this process over the next few weeks. This is expected to hit 12.06 percent of all vulnerable projects, a little over 70K projects by the time of completion," Trellix researcher Charles McFarland added.
A GitHub Actions workflow could have been used for a command injection vulnerability in Bazel, which had the potential for threat actors to add malicious code into the production environment for projects using the Google open-source product.