3 matches found
CVE-2022-23530
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destinati...
CVE-2022-23530 GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destinati...
CVE-2022-23530
CVE-2022-23530 affects GuardDog prior to v0.1.8, where scanning a remotely fetched PyPI package could trigger arbitrary file writes. The root cause is using shutil.unpack_archive() on a crafted tarball without validating that extracted paths stay within the destination directory, allowing writes ...