BIT-python-2026-4360

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/python/BIT-python-2026-4360.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-python-2026-4360
Aliases
Published
2026-07-08T11:36:19.791Z
Modified
2026-07-08T12:11:36.227598331Z
Summary
Tarfile.extract() doesn't fully respect filter parameter
Details

In the Tarfile.extract() function, the filter parameter is not passed properly when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract() function.

Database specific
{
    "severity": "Low",
    "cpes": [
        "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / python

Package

Name
python
Purl
pkg:bitnami/python

Severity

  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/python/BIT-python-2026-4360.json"