Affected versions
<v0.1.5
Impact
Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.
This is due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall
Remediation
Upgrade to GuardDog v0.1.5 or more recent.
References
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.
You signed out in another tab or window. Reload to refresh your session.
Impact
Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.
This is due to a path traversal vulnerability when extracting the
.tar.gzfile of the package being scanned, which exists by design in thetarfile.TarFile.extractallfunction. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractallRemediation
Upgrade to GuardDog v0.1.5 or more recent.
References