CVE-2022-23531
- Source
- https://cve.org/CVERecord?id=CVE-2022-23531
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23531.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-23531
- Aliases
- Published
- 2022-12-16T23:41:15.078Z
- Modified
- 2026-02-20T06:26:12.056324Z
- Severity
-
- 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- Arbitrary file write when scanning a specially-crafted local PyPI package
- Details
-
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23531.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-23" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23531.json
- https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306
- https://github.com/DataDog/guarddog/releases/tag/v0.1.5
- https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq
- https://nvd.nist.gov/vuln/detail/CVE-2022-23531