Количество 2
Количество 2
CVE-2022-23530
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths.
GHSA-78m5-jpmf-ch7v
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2022-23530 GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths. | CVSS3: 5.8 | 1% Низкий | около 3 лет назад |
| GHSA-78m5-jpmf-ch7v GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package | CVSS3: 5.8 | 1% Низкий | около 3 лет назад |
Уязвимостей на страницу