CVE-2022-23531
published 2022-12-17CVE-2022-23531: GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted…
PriorityP341high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.59%
43.8th percentile
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| datadog | guarddog | < 0.1.5 | 0.1.5 |
| datadog | guarddog | >= 0 < 0.1.5 | 0.1.5 |
| datadog | guarddog | >= 0 < a56aff58264cb6b7855d71b00dc10c39a5dbd306 | a56aff58264cb6b7855d71b00dc10c39a5dbd306 |
| datadoghq | guarddog | < 0.1.5 | 0.1.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-23531: GuardDog is a CLI tool to identify malicious PyPI packages
osv·2022-12-17
CVE-2022-23531 CVE-2022-23531: GuardDog is a CLI tool to identify malicious PyPI packages
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.
OSV
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package
osv·2022-12-02
CVE-2022-23531 [LOW] GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package
### Impact
Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.
This is due to a path traversal vulnerability when extracting the `.tar.gz` file of the package being scanned, which exists by design in the `tarfile.TarFile.extractall` function. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall
### Remediation
Upgrade to GuardDog v0.1.5 or more recent.
### References
* https://semgrep.dev/r?q=trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal
* https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html
* https:
GHSA
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package
ghsa·2022-12-02
CVE-2022-23531 [LOW] CWE-22 GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package
### Impact
Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.
This is due to a path traversal vulnerability when extracting the `.tar.gz` file of the package being scanned, which exists by design in the `tarfile.TarFile.extractall` function. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall
### Remediation
Upgrade to GuardDog v0.1.5 or more recent.
### References
* https://semgrep.dev/r?q=trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal
* https://www.trellix.com/en-us/about/newsroom/stories/research/tarfile-exploiting-the-world.html
* https:
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306https://github.com/DataDog/guarddog/releases/tag/v0.1.5https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vqhttps://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306https://github.com/DataDog/guarddog/releases/tag/v0.1.5https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq
2022-12-17
Published