You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted PyPI package
Low severity
GitHub Reviewed
Published
Nov 29, 2022
in
DataDog/guarddog
•
Updated Nov 18, 2024
Impact
Running GuardDog against a specially-crafted package can allow an attacker to write an arbitrary file on the machine where GuardDog is executed.
This is due to a path traversal vulnerability when extracting the
.tar.gz
file of the package being scanned, which exists by design in thetarfile.TarFile.extractall
function. See also https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractallRemediation
Upgrade to GuardDog v0.1.5 or more recent.
References
References