The vulnerability, tracked asCVE-2007-4559(CVSS score: 6.8), was discovered 15 years ago.
While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Pythons tarfile module.
Initially, we thought we had found a new zero-day vulnerability.
Pythons tarfile module lets us do exactly this: continues the post.
This enables attackers to create their exploits with as little as the 6 lines of code above.
Never extract archives from untrusted sources without prior inspection, the Python documentation for tarfilereads.
It is possible that files are created outside of path, e.g.
source: www.techworm.net
