CVE-2022-23531

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-23531
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23531.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-23531
Aliases
Published
2022-12-17T00:15:08Z
Modified
2024-10-12T09:14:06.383658Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.

References

Affected packages

Git / github.com/datadog/guarddog

Affected ranges

Type
GIT
Repo
https://github.com/datadog/guarddog
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
98af5c8c1e9c15fa888c900252e76116b0ec25d1

Affected versions

v0.*

v0.0.1
v0.0.2
v0.0.3
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4