I'm concerned about CVE-2024-12718, which is showing a CVSS score of 10 on Microsoft Defender. This has reached the attention of management, and I'm uncertain if version 3.14.2 of Python is patched or requires a manual fix. If a manual patch is necessary, I'd appreciate guidance on how to install it.
Most of the detections seem to be occurring on Windows machines where Python might be used for lightweight development tasks or Arduino projects. While I doubt anyone is actively extracting tarfiles, I suspect some auto-updates or scripts might do so in the background.
For context, I installed Python following these commands:
winget install 9NQ7512CXL7T
py install
py -3.14-64
cd c:python
py -3.14 -m venv .venv
Thanks for any insights!
3 Answers
It seems like Defender flags it as a critical issue, but I found out that it’s fixed in Python 3.15. Unfortunately, a stable release isn't available yet, but if you’re in urgent need, you could try running alpha builds of 3.15.
A simple fix could be to remove the 'tarfile' module entirely until a proper patch is made. It’s straightforward and could help you avoid potential issues.
I actually saw a report where it said the score is 5.3 overall, which is pretty low, but the CVSS score you’re referring to is alarming for management. However, make sure you're not using 'tar.extract' on untrusted data in your projects. That's where the risk could come from.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically