CVE-2022-23531

Опубликовано: 17 дек. 2022

Источник: nvd

CVSS3: 5.8

CVSS3: 7.8

EPSS Низкий

Описание

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.

Ссылки

https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306
Patch
Third Party Advisory
https://github.com/DataDog/guarddog/releases/tag/v0.1.5
Release Notes
Third Party Advisory
https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq
Third Party Advisory
https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306
Patch
Third Party Advisory
https://github.com/DataDog/guarddog/releases/tag/v0.1.5
Release Notes
Third Party Advisory
https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:datadoghq:guarddog:*:*:*:*:*:python:*:*

Версия до 0.1.5 (исключая)

EPSS

Процентиль: 36%

0.00152

Низкий

5.8 Medium

CVSS3

7.8 High

CVSS3

Дефекты

CWE-23

CWE-22

Связанные уязвимости

GHSA-rp2v-v467-q9vq

CVSS3: 5.8

github

около 3 лет назад

GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package

EPSS

Процентиль: 36%

0.00152

Низкий

5.8 Medium

CVSS3

7.8 High

CVSS3

Дефекты

CWE-23

CWE-22