The Trellix Advanced Threat Research team has detected a 15-year-old Python bug found in the Python tarfile module, which is monitored as CVE-6.8-2007 with CVSS:4559 evaluation. The vulnerability is a path bypass attack on the extract and extractall functions in the tarfile module that allows an attacker to overwrite arbitrary files. ”. It is sorted by file names in the tar archive,” says Trellix security researcher Casimir Schultz. After successfully exploiting the vulnerability, the attacker may have had access to write the execution code of the file. Tarfile vulnerability reports state that tarfile files are a collection of many different files and metadata that are then used to open the tarfile file. In this case, attackers can take advantage of the error by downloading a malicious tarfile that allows it to exit the folder from which you want to extract the file and execute the code. The Tarfile module allows users to add a filter that they can use to parse and modify a file’s metadata before adding it to the TAR archive. This makes it easier for attackers to build their exploits with small lines of code. “The security code could not be written to clear the participants’ files before the tarfile was called. () extract the tarfile file. extractall (), leads to a vulnerability that allows the attacker to bypass access to the file system directory– – Trellix security vulnerability researcher Charles McFarland, Python tarfil the eject function of the module is based on the information in the object passed to the function explicitly trust and extraction TarInfo joins the road, and a bypass that allows the attacker to execute the attack tarinfo object in a directory name. The path that joins the filename Also depends on the extractall function extraction function, experts say that the extractall function is also vulnerable to a directory bypass attack.
- Next Secure Software Development Lifecycle (SSDLC): Ensuring Strong Cybersecurity for Your Applications
- Previous Secure Blockchain Applications: Enhancing Cybersecurity
Hakkında
Kariyer başlangıcımdan bu zaman kadar Siber Güvenlik alanında gelişen/oluşan her şeye merak duymaktayım.
Bu süre zarfında, siber güvenlik ve startup ekosistemine destek olmak ve sektördeki gelişmelere katkıda bulunmak benim için önemli oldu. Deneyimlerimi, yazılarımda paylaşmayı bilgi ve görüşlerimi aktarmayı amaçlıyorum, böylece bu alanda büyümeye ve gelişmeye katkı sağlayabilirim.
Son Yazılar
- The Power of Virtual CISO Services: Enhancing Your Cybersecurity Strategy
- Unlocking the Potential of Secure Edge Computing in Cybersecurity
- The Power of Dark Web Monitoring: Unveiling Cyber Threats
- Security Challenges in Virtual Private Clouds
- Automating Cybersecurity Compliance: Ensuring Effective Security Measures
Arşiv
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- January 2021
- October 2020
- August 2020
- June 2020
- April 2020
- February 2020
- January 2020
Etiket Bulutu
Advanced Persistent Threats
API security
authentication
best practices
CASB
Cloud Security
Collaboration
compliance
continuous learning
cybersecurity
cybersecurity solutions
cybersecurity trends
Cyber Threats
dark web monitoring
data breaches
data encryption
data privacy
data protection
data security
encryption
Incident Response
IoT security
KPIs
machine learning
Malware
Metasploit
Network Security
Network Segmentation
penetration testing
Phishing
privacy
ransomware attacks
risk management
risk mitigation
Secure API Gateways
secure coding
Security Controls
security measures
software security
Threat Detection
Threat Intelligence
two-factor authentication
vulnerability assessment
Vulnerability Management
Zero Trust Architecture