CVE-2022-23531

2022-12-1700:15:08

Google

osv.dev

guarddog

cli tool

relative path traversal

pypi packages

vulnerable

path traversal vulnerability

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

26.6%

JSON

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.

CPENameOperatorVersion
guarddogeq0.1.0
guarddogeq0.1.4
guarddogeq0.0.1
guarddogeq0.0.2
guarddogeq0.1.1
guarddogeq0.1.3
guarddogeq0.1.2
guarddogeq0.0.3