CVE-2022-23530

Published: Dec 16, 2022

Modified: Apr 17, 2025

PUBLISHED

CVSS v3.1

5.8

MEDIUM

Description

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths.

Vendor	Product	Versions
DataDog	guarddog	affected `< 0.1.8`

Weaknesses (CWE)

CWE-22

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v

x_refsource_CONFIRM

https://github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c

x_refsource_MISC

https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-23530

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References