cbcvebase.
CVE-2022-23531
published 2022-12-17

CVE-2022-23531: GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted…

PriorityP341high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.59%
43.8th percentile
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.

Affected

4 ranges
VendorProductVersion rangeFixed in
datadogguarddog< 0.1.50.1.5
datadogguarddog>= 0 < 0.1.50.1.5
datadogguarddog>= 0 < a56aff58264cb6b7855d71b00dc10c39a5dbd306a56aff58264cb6b7855d71b00dc10c39a5dbd306
datadoghqguarddog< 0.1.50.1.5
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.