Skip to content

GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package

Moderate severity GitHub Reviewed Published Nov 29, 2022 in DataDog/guarddog • Updated Sep 20, 2024

Package

pip guarddog (pip)

Affected versions

< 0.1.5

Patched versions

0.1.5

Description

Impact

Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.

This is due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall

Remediation

Upgrade to GuardDog v0.1.5 or more recent.

References

References

@christophetd christophetd published to DataDog/guarddog Nov 29, 2022
Published to the GitHub Advisory Database Dec 2, 2022
Reviewed Dec 2, 2022
Published by the National Vulnerability Database Dec 17, 2022
Last updated Sep 20, 2024

Severity

Moderate

EPSS score

0.072%
(32nd percentile)

Weaknesses

CVE ID

CVE-2022-23531

GHSA ID

GHSA-rp2v-v467-q9vq

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.