CVE-2007-4559
Summary
| CVE | CVE-2007-4559 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2007-08-28 01:17:00 UTC |
| Updated | 2026-04-23 00:35:47 UTC |
| Description | Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-22 | n/a | CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:M/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [Python-Dev] tarfile and directory traversal vulnerability | af854a3a-2127-422b-91ae-364da2661108 | mail.python.org | Exploit, Mailing List |
| Webmail - OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | Broken Link |
| Python tarfile Module Directory Traversal and Symlink Vulnerability - Advisories - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Broken Link |
| Bug 263261 – CVE-2007-4559 python tarfile module directory traversal | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | Issue Tracking |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/mess... | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/mess... | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| [Python-Dev] tarfile and directory traversal vulnerability | af854a3a-2127-422b-91ae-364da2661108 | mail.python.org | Mailing List, Vendor Advisory |
| lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/mess... | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| Samba: Multiple Vulnerabilities (GLSA 202309-06) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| lists.fedoraproject.org/archives/list/[email protected]/messag... | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|---|---|---|
| Red Hat | 2007-10-15 | Joshua Bressers | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=263261 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ |
Legacy QID Mappings
- 161059 Oracle Enterprise Linux Security Update for python-pip (ELSA-2023-6694)
- 161073 Oracle Enterprise Linux Security Update for python3.11-pip (ELSA-2023-6324)
- 161120 Oracle Enterprise Linux Security Update for python3.9 (ELSA-2023-6659)
- 161128 Oracle Enterprise Linux Security Update for python3.11 (ELSA-2023-6494)
- 161134 Oracle Enterprise Linux Security Update for python3.11-pip (ELSA-2023-6914)
- 161140 Oracle Enterprise Linux Security Update for python3 (ELSA-2023-7151)
- 161146 Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2023-7034)
- 161148 Oracle Enterprise Linux Security Update for python3.11 (ELSA-2023-7024)
- 161165 Oracle Enterprise Linux Security Update for python38:3.8 and python38-devel:3.8 (ELSA-2023-7050)
- 161169 Oracle Enterprise Linux Security Update for python-pip (ELSA-2023-7176)
- 242280 Red Hat Update for python-pip (RHSA-2023:6694)
- 242304 Red Hat Update for python3.11 (RHSA-2023:6494)
- 242323 Red Hat Update for python3.9 (RHSA-2023:6659)
- 242328 Red Hat Update for python3.11-pip (RHSA-2023:6324)
- 242344 Red Hat Update for rh-python38-python (RHSA-2023:6793)
- 242412 Red Hat Update for python3.11 (RHSA-2023:7024)
- 242414 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2023:7034)
- 242420 Red Hat Update for python3.11-pip (RHSA-2023:6914)
- 242431 Red Hat Update for python38:3.8 and python38-devel:3.8 (RHSA-2023:7050)
- 242435 Red Hat Update for python-pip (RHSA-2023:7176)
- 242444 Red Hat Update for python3 (RHSA-2023:7151)
- 242730 Red Hat Update for python-pip (RHSA-2024:0374)
- 242742 Red Hat Update for python3 (RHSA-2024:0430)
- 242829 Red Hat Update for python-pip (RHSA-2024:0587)
- 285358 Fedora Security Update for python3.6 (FEDORA-2024-d1f1084584)
- 285359 Fedora Security Update for python3.6 (FEDORA-2024-ebb3c95344)
- 379247 Alibaba Cloud Linux Security Update for python-pip (ALINUX3-SA-2024:0005)
- 379638 Alibaba Cloud Linux Security Update for python3 (ALINUX3-SA-2024:0040)
- 673632 EulerOS Security Update for python3 (EulerOS-SA-2023-2705)
- 674058 EulerOS Security Update for python3 (EulerOS-SA-2023-2663)
- 710751 Gentoo Linux Samba Multiple Vulnerabilities (GLSA 202309-06)
- 754078 SUSE Enterprise Linux Security Update for python36 (SUSE-SU-2023:2473-1)
- 754099 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2023:2517-1)
- 754211 SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2023:2957-1)
- 755840 SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2023:2641-1)
- 755855 SUSE Enterprise Linux Security Update for python311 (SUSE-SU-2023:2937-1)
- 900115 CBL-Mariner Linux Security Update for python2 2.7.18
- 900180 CBL-Mariner Linux Security Update for python3 3.7.10
- 901696 Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (6822-1)
- 901835 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (6828)
- 903355 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (5430)
- 903443 Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (3450)
- 905788 Common Base Linux Mariner (CBL-Mariner) Security Update for python2 (3450-1)
- 908049 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (6828-1)
- 941360 AlmaLinux Security Update for python3.9 (ALSA-2023:6659)
- 941365 AlmaLinux Security Update for python3.11 (ALSA-2023:6494)
- 941377 AlmaLinux Security Update for python-pip (ALSA-2023:6694)
- 941378 AlmaLinux Security Update for python3.11-pip (ALSA-2023:6324)
- 941427 AlmaLinux Security Update for python3.11 (ALSA-2023:7024)
- 941445 AlmaLinux Security Update for python-pip (ALSA-2023:7176)
- 941446 AlmaLinux Security Update for python3 (ALSA-2023:7151)
- 941449 AlmaLinux Security Update for python3.11-pip (ALSA-2023:6914)
- 941465 AlmaLinux Security Update for python38:3.8 and python38-devel:3.8 (ALSA-2023:7050)
- 941467 AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2023:7034)