Vulnerability Description
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Datadoghq | Guarddog | < 0.1.5 |
Related Weaknesses (CWE)
References
- https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc1PatchThird Party Advisory
- https://github.com/DataDog/guarddog/releases/tag/v0.1.5Release NotesThird Party Advisory
- https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vqThird Party Advisory
- https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc1PatchThird Party Advisory
- https://github.com/DataDog/guarddog/releases/tag/v0.1.5Release NotesThird Party Advisory
- https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vqThird Party Advisory
FAQ
What is CVE-2022-23531?
CVE-2022-23531 is a vulnerability with a CVSS score of 5.8 (MEDIUM). GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog aga...
How severe is CVE-2022-23531?
CVE-2022-23531 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23531?
Check the references section above for vendor advisories and patch information. Affected products include: Datadoghq Guarddog.