Auto import

vulns/guarddog/PYSEC-0000-CVE-2022-23530.yaml

@@ -0,0 +1,40 @@
+id: PYSEC-0000-CVE-2022-23530
+details: GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior
+  to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted
+  remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially
+  malicious tarball without validating that the destination file path is within the
+  intended destination directory can cause files outside the destination directory
+  to be overwritten. This issue is patched in version 0.1.8. Potential workarounds
+  include using a safer module, like zipfile, and validating the location of the extracted
+  files and discarding those with malicious paths.
+affected:
+- package:
+    name: guarddog
+    ecosystem: PyPI
+    purl: pkg:pypi/guarddog
+  ranges:
+  - type: GIT
+    repo: https://github.com/DataDog/guarddog
+    events:
+    - introduced: "0"
+    - fixed: 37c7d0767ba28f4df46117d478f97652594c491c
+  - type: ECOSYSTEM
+    events:
+    - introduced: "0"
+    - fixed: 0.1.8
+references:
+- type: EVIDENCE
+  url: https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158
+- type: WEB
+  url: https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158
+- type: EVIDENCE
+  url: https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v
+- type: ADVISORY
+  url: https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v
+- type: FIX
+  url: https://github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c
+aliases:
+- CVE-2022-23530
+- GHSA-78m5-jpmf-ch7v
+modified: "2022-12-22T14:43:00Z"
+published: "2022-12-16T23:15:00Z"

vulns/guarddog/PYSEC-0000-CVE-2022-23531.yaml

@@ -0,0 +1,37 @@
+id: PYSEC-0000-CVE-2022-23531
+details: GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior
+  to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted
+  local PyPI package. Running GuardDog against a specially-crafted package can allow
+  an attacker to write an arbitrary file on the machine where GuardDog is executed
+  due to a path traversal vulnerability when extracting the .tar.gz file of the package
+  being scanned, which exists by design in the tarfile.TarFile.extractall function.
+  This issue is patched in version 0.1.5.
+affected:
+- package:
+    name: guarddog
+    ecosystem: PyPI
+    purl: pkg:pypi/guarddog
+  ranges:
+  - type: GIT
+    repo: https://github.com/DataDog/guarddog
+    events:
+    - introduced: "0"
+    - fixed: a56aff58264cb6b7855d71b00dc10c39a5dbd306
+  - type: ECOSYSTEM
+    events:
+    - introduced: "0"
+    - fixed: 0.1.5
+references:
+- type: WEB
+  url: https://github.com/DataDog/guarddog/releases/tag/v0.1.5
+- type: ADVISORY
+  url: https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq
+- type: FIX
+  url: https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306
+- type: WEB
+  url: https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306
+aliases:
+- CVE-2022-23531
+- GHSA-rp2v-v467-q9vq
+modified: "2022-12-22T14:43:00Z"
+published: "2022-12-17T00:15:00Z"

vulns/ubi-reader/PYSEC-0000-CVE-2022-4572.yaml

@@ -0,0 +1,40 @@
+id: PYSEC-0000-CVE-2022-4572
+details: A vulnerability, which was classified as problematic, has been found in UBI
+  Reader up to 0.8.0. Affected by this issue is the function ubireader_extract_files
+  of the file ubireader/ubifs/output.py of the component UBIFS File Handler. The manipulation
+  leads to path traversal. The attack may be launched remotely. Upgrading to version
+  0.8.5 is able to address this issue. The name of the patch is d5d68e6b1b9f7070c29df5f67fc060f579ae9139.
+  It is recommended to upgrade the affected component. VDB-216146 is the identifier
+  assigned to this vulnerability.
+affected:
+- package:
+    name: ubi-reader
+    ecosystem: PyPI
+    purl: pkg:pypi/ubi-reader
+  ranges:
+  - type: GIT
+    repo: https://github.com/jrspruitt/ubi_reader
+    events:
+    - introduced: "0"
+    - fixed: d5d68e6b1b9f7070c29df5f67fc060f579ae9139
+  - type: ECOSYSTEM
+    events:
+    - introduced: "0"
+    - fixed: 0.8.2
+references:
+- type: WEB
+  url: https://github.com/jrspruitt/ubi_reader/releases/tag/v0.8.5-master
+- type: FIX
+  url: https://github.com/jrspruitt/ubi_reader/commit/d5d68e6b1b9f7070c29df5f67fc060f579ae9139
+- type: WEB
+  url: https://vuldb.com/?id.216146
+- type: REPORT
+  url: https://github.com/jrspruitt/ubi_reader/pull/57
+- type: FIX
+  url: https://github.com/jrspruitt/ubi_reader/pull/57
+- type: WEB
+  url: https://github.com/jrspruitt/ubi_reader/pull/57
+aliases:
+- CVE-2022-4572
+modified: "2022-12-22T14:47:00Z"
+published: "2022-12-17T02:15:00Z"