cbcvebase.
CVE-2007-4559
published 2007-08-28

CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to…

PriorityP343critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
27.10%
97.8th percentile
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Affected

11 ranges
VendorProductVersion rangeFixed in
keraskeras>= 0 < 3.12.03.12.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
pyload-ng_projectpyload-ng>= 0 < 0.5.0b3.dev970.5.0b3.dev97
pythonpython< 3.6.163.6.16
pythonpython>= 3.10.0 < 3.10.123.10.12
pythonpython>= 3.11.0 < 3.11.43.11.4
pythonpython>= 3.7.0 < 3.8.173.8.17
pythonpython>= 3.9.0 < 3.9.173.9.17

Detection & IOCsextracted from sources · hover to see the quote

  • Directory traversal via '..' sequences in TAR archive filenames triggers the vulnerability in Python's tarfile module extract/extractall functions
  • Vulnerable functions to monitor are tarfile.extract and tarfile.extractall — any call extracting from an untrusted TAR archive should be flagged
  • ·Python 3.6 as shipped in Red Hat Enterprise Linux 8 (python36:3.6/python36) is not affected — it only provides symlinks to the main python3 component
  • ·The vulnerability was present in approximately 350,000 open-source projects and went unnoticed for a long time, indicating broad supply-chain exposure

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat2.1LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.