CVE-2022-23531

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.

CVSS v3.0 7.8 HIGH

7.8^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/DataDog/guarddog/releases/tag/v0.1.5	Release Notes Third Party Advisory
https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq	Third Party Advisory
https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306	Patch Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:datadoghq:guarddog:*:*:*:*:*:python:*:*

Information

Published : 2022-12-16 16:15

Updated : 2022-12-22 06:43

NVD link : CVE-2022-23531

Mitre link : CVE-2022-23531

JSON object : View

CWE

CWE-23

Relative Path Traversal

Advertisement

Products Affected

datadoghq

guarddog

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/DataDog/guarddog/releases/tag/v0.1.5", "name": "https://github.com/DataDog/guarddog/releases/tag/v0.1.5", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq", "name": "https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq", "tags": ["Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306", "name": "https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-23"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-23531", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}}, "publishedDate": "2022-12-17T00:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:datadoghq:guarddog:*:*:*:*:*:python:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "0.1.5"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-12-22T14:43Z"}