Home > Vulnerability Database > WS-2022-0410

Mend.io Vulnerability Database

WS-2022-0410

Good to know:

Date: December 3, 2022

guarddog prior to 0.1.5 is vulnerable to arbitrary file write when scanning a specially-crafted PyPI package. An attacker is able to write an arbitrary file on the machine where GuardDog is executed. This is due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function.

Language: Python

Severity Score

7.4

Related Resources (2)

Url: https://github.com/DataDog/guarddog/commit/98af5c8c1e9c15fa888c900252e76116b0ec25d1

Url: https://www.mend.io/vulnerability-database/WS-2022-0410

Severity Score

7.4

Weakness Type (CWE)

Relative Path Traversal

CWE-23

Top Fix

Upgrade Version

Upgrade to version guarddog - 0.1.5

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2022-0410

Good to know:

Date: December 3, 2022

Language: Python

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?