Back to CVE Browser

CVE-2007-4559

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.0430%

EPSS Percentile31.83th

PublishedAug 28, 2007

Last ModifiedApr 23, 2026

Vulnerability Description

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Affected Platforms (CPE)

📦

Python

Python

< 3.6.16

📦

Python

Python

>= 3.7.0 and < 3.8.17

📦

Python

Python

>= 3.9.0 and < 3.9.17

📦

Python

Python

>= 3.10.0 and < 3.10.12

📦

Python

Python

>= 3.11.0 and < 3.11.4

References & Advisories

🔗 http://mail.python.org/pipermail/python-dev/2007-August/074290.html

🔗 http://mail.python.org/pipermail/python-dev/2007-August/074292.html

🔗 http://secunia.com/advisories/26623

🔗 http://www.vupen.com/english/advisories/2007/3022

🔗 https://bugzilla.redhat.com/show_bug.cgi?id=263261

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVBB7NU3YIRRDOKLYVN647WPRR3IAKR6/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FI55PGL47ES3OU2FQPGEHOI2EK3S2OBH/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KA4Z44ZAI4SY7THCFBUDNT5EEFO4XQ3A/

Related Vulnerabilities

CVE-2014-296710.0

Autodesk VRED Professional 2014 before SR1 SP8 allows remote attackers to execute arbitrary code via Python os library calls in Py...

CVE-2008-503110.0

Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via...

CVE-2014-300710.0

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell m...

CVE-2014-816510.0

scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers ...