CVE Vulnerability

CVE-2022-23530

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158 Exploit Third Party Advisory
https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v Exploit Third Party Advisory
https://github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:datadoghq:guarddog:*:*:*:*:*:python:*:*
Information

Published : 2022-12-16 11:15

Updated : 2022-12-22 02:43

NVD link : CVE-2022-23530

Mitre link : CVE-2022-23530

Products Affected
No products.
CWE
CWE-22