Skip to content

GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package

Moderate severity GitHub Reviewed Published Nov 29, 2022 in DataDog/guarddog • Updated Jun 27, 2023

Package

pip guarddog (pip)

Affected versions

< 0.1.5

Patched versions

0.1.5

Description

Impact

Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.

This is due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall

Remediation

Upgrade to GuardDog v0.1.5 or more recent.

References

References

@christophetd christophetd published to DataDog/guarddog Nov 29, 2022
Published to the GitHub Advisory Database Dec 2, 2022
Reviewed Dec 2, 2022
Published by the National Vulnerability Database Dec 17, 2022
Last updated Jun 27, 2023

Severity

Moderate
5.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Weaknesses

CVE ID

CVE-2022-23531

GHSA ID

GHSA-rp2v-v467-q9vq

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.