Python never closed a vulnerability discovered back in 2007, according to Bleeping Computer. More than 350,000 open-source projects are now under attack.
See also: Best laptop for hacking
The existence of the vulnerability was not a secret, it was discovered in late August 2007, but it was not disclosed and was not assigned a security level, only an index - CVE-2007-4559. The vulnerability itself is located in the Python tarfile package, where the untested tarfile.extract() or tarfile.extractall() functions are used. It can be used to potentially overwrite or capture files on the victim computer when a vulnerable application opens a malicious tarfile archive via tarfile.
The revelation of the vulnerability belongs to security researchers at Trellix. When they were investigating another problem in Python, they turned their attention to CVE-2007-4559 and verified how dangerous the finding was. Experts took 257 repositories and manually checked 175 of them. It turned out that the flaw was present in 61% of them.
Trellix staff have prepared fixes for just over 11,000 projects on GitHub, which will be available in a branch of the affected repositories. These will then be added to the main project via a pull request. In addition, more than 70,000 projects will receive a patch in the near future.
Featured book: CEH v11 PDF
The Python Software Foundation has not fixed the problem or warned developers about it for 15 years. At this point the flaw is still not fixed. Although Python developers added a warning in the documentation that opening archives from unreliable sources can be dangerous.