CVE-2007-4559

Advisory

Mobsf 3.6.0 includes a fix for CVE-2007-4559: Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

- Features or Enhancements
- False Positive Triaging / Suppression Triaging Support for critical Android and iOS Security Analysis features.
- Android Binary & Source - Supports Code Analysis and Manifest Analysis
- iOS Binary - Supports Binary Code Analysis
- iOS Source - Supports Code Analysis
- New REST APIs for Suppression Support
- Android Certificate Analysis improvements
- Remove RELRO check from android binary analysis due to false positives
- iOS Bundle ID extraction improvements
- Feature parity - Allow IPA downloads from reports view
- Code QA: Reduce False positives in identified secrets
- Check for updates from Github releases
- M1 Mac support
- Disabled by default feature to support hotspots in AppSec Scorecard
- Dependency updates
- Added CodeQL scan on MobSF python code base

- Bug Fixes
- Fixes 1999, 1917, 2042 1981 2014 2043
- Fixed a bug in JSON response REST API
- iOS URL view fix
- Code fixes to address minor security issues in thrid party libraries.
- Handle JADX timeouts

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559
• http://mail.python.org/pipermail/python-dev/2007-August/074290.html
• http://mail.python.org/pipermail/python-dev/2007-August/074292.html
• https://bugzilla.redhat.com/show_bug.cgi?id=263261
• http://secunia.com/advisories/26623
• http://www.vupen.com/english/advisories/2007/3022