Skip to content

Arbitrary file write when scanning a specially-crafted local PyPI package

Moderate
christophetd published GHSA-rp2v-v467-q9vq Nov 29, 2022

Package

pip guarddog (pip)

Affected versions

<v0.1.5

Patched versions

v0.1.5

Description

Impact

Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.

This is due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall

Remediation

Upgrade to GuardDog v0.1.5 or more recent.

References

Severity

Moderate
5.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

CVE ID

CVE-2022-23531

Weaknesses