Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
Vulnerability Description
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
GuardDog 路径遍历漏洞
Vulnerability Description
GuardDog是GuardDog开源的一个 CLI 工具,允许识别恶意PyPI包。 GuardDog v0.1.8之前版本存在路径遍历漏洞,该漏洞源于在扫描特制的远程PyPI包时容易受到任意文件写入的攻击,使用shutil.unpack_archive()从潜在恶意tarball中提取文件而不验证目标文件路径是否在预期目标目录内可能会导致目标目录外的文件被覆盖。
CVSS Information
N/A
Vulnerability Type
N/A