13 matches found
Arbitrary File Write
MindsDB is vulnerable to Arbitrary File Write. The vulnerability exists due to an unsafe extraction process that utilizes the shutil.unpackarchive function in fs.py which allows an attacker to write arbitrary files outside the expected directory...
GHSA-7X45-PHMR-9WQP Arbitrary file write in mindsdb when Extracting Tarballs retrieved from a remote location
Summary An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip variant. Details Unpacking files using the...
Arbitrary file write in mindsdb when Extracting Tarballs retrieved from a remote location
Summary An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip variant. Details Unpacking files using the...
CVE-2022-23522
MindsDB is an open source machine learning platform. An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip...
Design/Logic Flaw
MindsDB is an open source machine learning platform. An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip...
PYSEC-2023-26
MindsDB is an open source machine learning platform. An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip...
CVE-2022-23522 Arbitrary File Write when Extracting Tarballs retrieved from a remote location using in mindsdb
MindsDB is an open source machine learning platform. An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip...
CVE-2022-23522 Arbitrary File Write when Extracting Tarballs retrieved from a remote location using in mindsdb
MindsDB is an open source machine learning platform. An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip...
CVE-2022-23522
CVE-2022-23522 concerns MindsDB, where unsafe extraction via shutil.unpack_archive() from remotely retrieved tarballs may write files outside the intended directory (TarSlip/ZipSlip variant). The underlying issue: validating destination paths during archive extraction is insufficient, enabling cr...
CVE-2022-23530
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destinati...
PYSEC-2022-42993
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destinati...
CVE-2022-23530 GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destinati...
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
Summary Unsafe extracting using shutil.unpackarchive from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination. Details Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destination file path is...