CVE-2007-4559

high-risk

Published 2007-08-28

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Do I need to act?

90.6% chance of exploitation in next 30 days

EPSS score — higher than 9% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Python

Affected Vendors

Python

References (21)

Mailing List http://mail.python.org/pipermail/python-dev/2007-August/074290.html

Exploit http://mail.python.org/pipermail/python-dev/2007-August/074292.html

Broken Link http://secunia.com/advisories/26623

Broken Link http://www.vupen.com/english/advisories/2007/3022

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=263261

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://security.gentoo.org/glsa/202309-06

Mailing List http://mail.python.org/pipermail/python-dev/2007-August/074290.html

Exploit http://mail.python.org/pipermail/python-dev/2007-August/074292.html

Broken Link http://secunia.com/advisories/26623

Broken Link http://www.vupen.com/english/advisories/2007/3022

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=263261

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...

and 1 more references

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 20/34 · Moderate

Exposure 5/34 · Minimal