CVE-2022-23531

EPSS 0.59%
Veröffentlicht 17.12.2022 00:15:08
Zuletzt bearbeitet 21.11.2024 06:48:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Arbitrary file write when scanning a specially-crafted local PyPI package

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Datadoghq ≫ Guarddog SwPlatformpython Version < 0.1.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.59%	0.436

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	5.8	1.6	3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306

Patch

Third Party Advisory

https://github.com/DataDog/guarddog/releases/tag/v0.1.5

Third Party Advisory

Release Notes

https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-23531

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-23531

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-23531

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-23531