CVE-2007-4559
published 2007-08-28CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to…
PriorityP343critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
27.10%
97.8th percentile
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| keras | keras | >= 0 < 3.12.0 | 3.12.0 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev97 | 0.5.0b3.dev97 |
| python | python | < 3.6.16 | 3.6.16 |
| python | python | >= 3.10.0 < 3.10.12 | 3.10.12 |
| python | python | >= 3.11.0 < 3.11.4 | 3.11.4 |
| python | python | >= 3.7.0 < 3.8.17 | 3.8.17 |
| python | python | >= 3.9.0 < 3.9.17 | 3.9.17 |
Detection & IOCsextracted from sources · hover to see the quote
- →Directory traversal via '..' sequences in TAR archive filenames triggers the vulnerability in Python's tarfile module extract/extractall functions ↗
- →Vulnerable functions to monitor are tarfile.extract and tarfile.extractall — any call extracting from an untrusted TAR archive should be flagged ↗
- ·Python 3.6 as shipped in Red Hat Enterprise Linux 8 (python36:3.6/python36) is not affected — it only provides symlinks to the main python3 component ↗
- ·The vulnerability was present in approximately 350,000 open-source projects and went unnoticed for a long time, indicating broad supply-chain exposure ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat2.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
osv·2026-04-08·CVSS 9.8
CVE-2026-35592 [CRITICAL] pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
## Summary
The `_safe_extractall()` function in `src/pyload/plugins/extractors/UnTar.py` uses `os.path.commonprefix()` for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function `os.path.commonpath()` was added to the codebase in the GHSA-7g4m-8hx2-4qh3 fix (commit 5f4f0fa) but was never applied to `_safe_extractall()`, making this an incomplete fix.
## Details
The GHSA-7g4m-8hx2-4qh3 fix (commit 5f4f0fa) added a correct `is_within_directory()` function to `src/pyload/core/utils/fs.py:384-391` using `os.path.c
GHSA
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
ghsa·2026-04-08·CVSS 9.8
CVE-2026-35592 [CRITICAL] CWE-22 pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
## Summary
The `_safe_extractall()` function in `src/pyload/plugins/extractors/UnTar.py` uses `os.path.commonprefix()` for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside the intended extraction directory. The correct function `os.path.commonpath()` was added to the codebase in the GHSA-7g4m-8hx2-4qh3 fix (commit 5f4f0fa) but was never applied to `_safe_extractall()`, making this an incomplete fix.
## Details
The GHSA-7g4m-8hx2-4qh3 fix (commit 5f4f0fa) added a correct `is_within_directory()` function to `src/pyload/core/utils/fs.py:384-391` using `os.path.c
OSV
Keras Directory Traversal Vulnerability
osv·2025-12-02
CVE-2025-12060 [HIGH] Keras Directory Traversal Vulnerability
Keras Directory Traversal Vulnerability
## Summary
Keras's `keras.utils.get_file()` function is vulnerable to directory traversal attacks despite implementing `filter_safe_paths()`. The vulnerability exists because `extract_archive()` uses Python's `tarfile.extractall()` method without the security-critical `filter="data"` parameter. A PATH_MAX symlink resolution bug occurs before path filtering, allowing malicious tar archives to bypass security checks and write files outside the intended extraction directory.
## Details
### Root Cause Analysis
**Current Keras Implementation**
```python
# From keras/src/utils/file_utils.py#L121
if zipfile.is_zipfile(file_path):
# Zip archive.
archive.extractall(path)
else:
# Tar archive, perhaps unsafe. Filter paths.
archive.extractall(path, members=
GHSA
Keras Directory Traversal Vulnerability
ghsa·2025-12-02
CVE-2025-12060 [HIGH] CWE-22 Keras Directory Traversal Vulnerability
Keras Directory Traversal Vulnerability
## Summary
Keras's `keras.utils.get_file()` function is vulnerable to directory traversal attacks despite implementing `filter_safe_paths()`. The vulnerability exists because `extract_archive()` uses Python's `tarfile.extractall()` method without the security-critical `filter="data"` parameter. A PATH_MAX symlink resolution bug occurs before path filtering, allowing malicious tar archives to bypass security checks and write files outside the intended extraction directory.
## Details
### Root Cause Analysis
**Current Keras Implementation**
```python
# From keras/src/utils/file_utils.py#L121
if zipfile.is_zipfile(file_path):
# Zip archive.
archive.extractall(path)
else:
# Tar archive, perhaps unsafe. Filter paths.
archive.extractall(path, members=
GHSA
GHSA-gw9q-c7gh-j9vm: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attacker
ghsa_unreviewed·2022-05-01·CVSS 2.1
CVE-2007-4559 [LOW] CWE-22 GHSA-gw9q-c7gh-j9vm: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attacker
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
OSV
CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attacker
osv·2007-08-28·CVSS 2.1
CVE-2007-4559 [LOW] CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attacker
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Microsoft
CVE-2007-4559: NIST NVD Details: https://nvd
vendor_msrc·2024-12-10·CVSS 9.8
CVE-2007-4559 [CRITICAL] CVE-2007-4559: NIST NVD Details: https://nvd
NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2007-4559
Mariner: Mariner
[email protected]: [email protected]
Customer Action Required: Yes
Exploit Status: DOS:N/A
Remediation: python3
Reference: https://nvd.nist.gov/vuln/detail/CVE-2007-4559
Remediation: python2
Red Hat
python: tarfile module directory traversal
vendor_redhat·2007-08-24·CVSS 2.1
CVE-2007-4559 [LOW] CWE-22 python: tarfile module directory traversal
python: tarfile module directory traversal
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
A flaw was found in the Python tarfile module. Extracting a crafted TAR archive with the tarfile.extract or tarfile.extractall functions could lead to a directory traversal vulnerability, resulting in overwrite of arbitrary files.
Statement: The Red Hat Product Security has rated this issue as having a Moderate security impact, a future update may address this flaw. More information regarding issue severity can be found here: https://access.redhat.com/security/updates/classif
No detection rules found.
No public exploits indexed.
arXiv
Applications of Positive Unlabeled (PU) and Negative Unlabeled (NU) Learning in Cybersecurity
arxiv_fulltext·2024-12-09
Applications of Positive Unlabeled (PU) and Negative Unlabeled (NU) Learning in Cybersecurity
Applications of Positive Unlabeled (PU) and Negative Unlabeled (NU) Learning in Cybersecurity
Robert Dilworth
Mississippi State University
Starkville
Mississippi
USA
[email protected]
Charan Gudla
Mississippi State University
Starkville
Mississippi
USA
[email protected]
## Abstract
This paper explores the relatively underexplored application of Positive Unlabeled (PU) Learning and Negative Unlabeled (NU) Learning in the cybersecurity domain. While these semi-supervised learning methods have been applied successfully in fields like medicine and marketing, their potential in cybersecurity remains largely untapped. The paper identifies key areas of cybersecurity--such as intrusion detection, vulnerability management, malware detection, and threat intelligence--where PU/NU learnin
arXiv
When Less is Enough: Positive and Unlabeled Learning Model for Vulnerability Detection
arxiv_fulltext·2023-08-21
When Less is Enough: Positive and Unlabeled Learning Model for Vulnerability Detection
When Less is Enough: Positive and Unlabeled Learning Model for Vulnerability Detection
Anonymous Author(s)
Xin-Cheng Wen^1, Xinchen Wang^1, Cuiyun Gao^1 , Shaohua Wang^2, Yang Liu^3, Zhaoquan Gu^1
^1 School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen, China
^2 Central University of Finance and Economics, China
^3 School of Computer Science and Engineering, Nanyang Technological University, China
[email protected], [email protected], [email protected],
[email protected],
\gaocuiyun, guzhaoquan\@hit.edu.cn
^ Corresponding author. The author is also affiliated with Peng Cheng Laboratory.
## Abstract
Automated code vulnerability detection has gained increasing attention in recent years. The deep learning (DL)-based methods, which implicit
Bugzilla
CVE-2008-1568 comix: Command executions via improper shell escaping
bugzilla·2008-01-29·CVSS 9.8
CVE-2008-1568 [CRITICAL] CVE-2008-1568 comix: Command executions via improper shell escaping
CVE-2008-1568 comix: Command executions via improper shell escaping
Multiple security issues were reported to Debian BTS affecting comix package:
Insecure temporary file usage:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462838
comix and comicthumb use temporary directories with predictable name. However,
it only seems to be possible to redirect creation of /tmp/comix/ directory via
symlinks, so that numbered per-session subdirectories are not created in /tmp
but in some other user-writable directory. As /tmp/comix/ directory is created
with permissions based on user's umask, it's probably not writable to other
random unprivileged users. By itself, this probably only has limited impact.
However, usage of fixed temporary directory /tmp/comix/ seems bit unlucky, as
this prevents mul
Bugzilla
CVE-2007-4559 python tarfile module directory traversal [F7]
bugzilla·2007-10-02·CVSS 9.8
CVE-2007-4559 [CRITICAL] CVE-2007-4559 python tarfile module directory traversal [F7]
CVE-2007-4559 python tarfile module directory traversal [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.
Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.
Bug Reporter: Than
Bugzilla
CVE-2007-4559 python tarfile module directory traversal [FC6]
bugzilla·2007-10-02·CVSS 9.8
CVE-2007-4559 [CRITICAL] CVE-2007-4559 python tarfile module directory traversal [FC6]
CVE-2007-4559 python tarfile module directory traversal [FC6]
FC6 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.
If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and
Bugzilla
CVE-2007-4559 python: tarfile module directory traversal
bugzilla·2007-08-29·CVSS 2.1
CVE-2007-4559 [LOW] CVE-2007-4559 python: tarfile module directory traversal
CVE-2007-4559 python: tarfile module directory traversal
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4559
to the following vulnerability:
Directory traversal vulnerability in the (1) extract and (2) extractall
functions in the tarfile module in Python allows user-assisted remote attackers
to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR
archive, a related issue to CVE-2001-1267.
References:
Issue and additional attack vectors were discussed in following thread on
python-dev mailinglist:
http://mail.python.org/pipermail/python-dev/2007-August/074290.html
Upstream bug tracking possible fixes for the issue:
http://bugs.python.org/issue1044
Discussion:
Ok, so they seem confused about whether they wanted to fix anything or just
def
http://mail.python.org/pipermail/python-dev/2007-August/074290.htmlhttp://mail.python.org/pipermail/python-dev/2007-August/074292.htmlhttp://secunia.com/advisories/26623http://www.vupen.com/english/advisories/2007/3022https://bugzilla.redhat.com/show_bug.cgi?id=263261https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVBB7NU3YIRRDOKLYVN647WPRR3IAKR6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FI55PGL47ES3OU2FQPGEHOI2EK3S2OBH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KA4Z44ZAI4SY7THCFBUDNT5EEFO4XQ3A/https://security.gentoo.org/glsa/202309-06http://mail.python.org/pipermail/python-dev/2007-August/074290.htmlhttp://mail.python.org/pipermail/python-dev/2007-August/074292.htmlhttp://secunia.com/advisories/26623http://www.vupen.com/english/advisories/2007/3022https://bugzilla.redhat.com/show_bug.cgi?id=263261https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVBB7NU3YIRRDOKLYVN647WPRR3IAKR6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FI55PGL47ES3OU2FQPGEHOI2EK3S2OBH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KA4Z44ZAI4SY7THCFBUDNT5EEFO4XQ3A/https://lists.fedoraproject.org/archives/list/[email protected]/message/CVBB7NU3YIRRDOKLYVN647WPRR3IAKR6/https://lists.fedoraproject.org/archives/list/[email protected]/message/FI55PGL47ES3OU2FQPGEHOI2EK3S2OBH/https://lists.fedoraproject.org/archives/list/[email protected]/message/KA4Z44ZAI4SY7THCFBUDNT5EEFO4XQ3A/https://security.gentoo.org/glsa/202309-06
2007-08-28
Published