CVE-2022-23530: GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
(updated )
Unsafe extracting using shutil.unpack_archive() from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination.
References
- github.com/DataDog/guarddog
- github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py
- github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c
- github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v
- github.com/advisories/GHSA-78m5-jpmf-ch7v
- github.com/pypa/advisory-database/tree/main/vulns/guarddog/PYSEC-2022-42993.yaml
- nvd.nist.gov/vuln/detail/CVE-2022-23530
Detect and mitigate CVE-2022-23530 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →