CVE-2022-23531
Summary
| CVE | CVE-2022-23531 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-12-17 00:15:00 UTC |
| Updated | 2023-06-27 18:19:00 UTC |
| Description | GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5. |
Risk And Classification
Problem Types: CWE-22
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Release v0.1.5 · DataDog/guarddog · GitHub | MISC | github.com | |
| Arbitrary file write when scanning a specially-crafted local PyPI package · Advisory · DataDog/guarddog · GitHub | MISC | github.com | |
| Use tarsafe instead of built-in tarfile to extract archives by christophetd · Pull Request #89 · DataDog/guarddog · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.