CVE-2022-23531

2022-12-1700:15:08

CWE-22

CWE-23

[email protected]

web.nvd.nist.gov

100

guarddog

cli tool

pypi

pypi packages

vulnerability

path traversal

cve-2022-23531

nvd

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.6%

JSON

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.

Affected configurations

Vulners

NVD

Node

datadogguarddogRange<0.1.5

CPENameOperatorVersion
datadoghq:guarddogdatadoghq guarddoglt0.1.5

CPE	Name	Operator	Version
datadoghq:guarddog	datadoghq guarddog	lt	0.1.5

CNA Affected

[
  {
    "vendor": "DataDog",
    "product": "guarddog",
    "versions": [
      {
        "version": "< 0.1.5",
        "status": "affected"
      }
    ]
  }
]