72 matches found
PT-2026-52897
Name of the Vulnerable Software and Affected Versions Patool versions prior to 4.0.5 Description A path traversal issue exists in the safe extract function within patoolib/programs/py tarfile.py when used with Python versions before 3.12. The is within directory helper function utilizes...
Amazon Linux 2023 : python3.14, python3.14-devel, python3.14-freethreading (ALAS2023-2026-1774)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1774 advisory. The tarfile module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result ...
Astra Linux – Vulnerability in Python 3.11
It allows arbitrary file system writes outside the extraction directory during extraction with the filter="data" parameter. This vulnerability affects users who use the tarfile module to extract untrusted tar archives using methods like TarFile.extractall or TarFile.extract, with the filter=...
ROS-20260505-73-0071
A vulnerability in the tarfile module of the Python programming language interpreter CPython is related to incorrect parsing of the file header. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...
cpython: cpython: `tarfile` module misinterprets crafted tar archives leading to data integrity issues
A flaw was found in the tarfile module of cpython. This vulnerability allows a remote attacker to craft a malicious tar archive that, when processed, could be misinterpreted by the tarfile module. This misinterpretation occurs because the module incorrectly applies normalization of AREGTYPE block...
Misinterpretation of Input
Overview Affected versions of this package are vulnerable to Misinterpretation of Input in tarfile.py, which may convert AREGTYPE \x00 blocks to DIRTYPE when processing multi-block input such as GNUTYPELONGNAME or GNUTYPELONGLINK. Remediation A fix was pushed into the master branch but not yet...
CVE-2025-13462 tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling
The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations...
CVE-2025-13462 tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling
The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations...
Exploit for CVE-2025-4517
CVE-2025-4517 Exploit - WingData HTB NOTES This exploit an...
Exploit for CVE-2025-4517
CVE-2025-4517 Exploit - WingData HTB Overview This exploi...
Exploit for CVE-2025-4517
CVE-2025-4517-poc Here is the updated script as a Proof-of-Co...
Astra Linux – Vulnerability in Python 3.11
There is a defect in the CPython “tarfile” module that affects the “TarFile” extraction and entry enumeration APIs. The tar implementation processes tar archives with negative offsets without errors, which can lead to an infinite loop and deadlock during the parsing of maliciously crafted tar...
MiracleLinux 9 : python3.12-3.12.1-4.el9_4.4 (AXSA:2024-8949:08)
The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-8949:08 advisory. python: cpython: tarfile: ReDos via excessive backtracking while parsing header values CVE-2024-6232 Tenable has extracted the preceding description block...
MiracleLinux 4 : rh-python36-python-pip-9.0.1-5.AXS4, rh-python36-python-3.6.12-1.AXS4, rh-python36-python-virtualenv-15.1.0-3.AXS4 (AXSA:2020-818:02)
The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-818:02 advisory. python: XSS vulnerability in the documentation XML-RPC server in servertitle field CVE-2019-16935 python: CRLF injection via the host part of the url...
EulerOS 2.0 SP10 : python3 (EulerOS-SA-2026-1036)
According to the versions of the python3 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : There is a defect in the CPython 'tarfile' module affecting the 'TarFile' extraction and entry enumeration APIs. The tar implementation would...
MiracleLinux 7 : python-2.7.5-94.0.5.el7.AXS7 (AXSA:2025-11503:37)
The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-11503:37 advisory. CVE-2025-8194: fix infinite loop and deadlock in TarFile extraction and entry enumeration APIs CVEs: CVE-2025-8194 There is a defect in the CPython tarfile...
MiracleLinux 9 : python3.11-3.11.11-2.el9_6.1 (AXSA:2025-10624:06)
The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-10624:06 advisory. cpython: Tarfile extracts filtered members when errorlevel=0 CVE-2025-4435 cpython: Bypass extraction filter to modify file metadata outside...
MiracleLinux 7 : python3-3.6.8-21.0.5.0.1.el7.AXS7 (AXSA:2025-11016:07)
The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-11016:07 advisory. Bump package Release to 21.0.5 CVE-2025-8194: tarfile: validate archives to ensure member offsets are non-negative CVEs: CVE-2025-8194 There is a defect in...
EulerOS Virtualization 2.13.0 : python3 (EulerOS-SA-2025-2614)
According to the versions of the python3 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python3 (UTSA-2025-992145)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-992145 advisory. There is a defect in the CPython tarfile module affecting the TarFile extraction and entry enumeration APIs. The tar implementation would process tar archives with...