PYSEC-2022-42993

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/guarddog/PYSEC-2022-42993.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2022-42993
Aliases
Published
2022-12-16T23:15:00Z
Modified
2023-11-01T04:57:54.147Z
Summary
[none]
Details

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths.

References

Affected packages

PyPI / guarddog

Package

Affected ranges

Type
GIT
Repo
https://github.com/DataDog/guarddog
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.8

Affected versions

0.*

0.1.1
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7