-
Notifications
You must be signed in to change notification settings - Fork 60
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
github-actions
committed
Dec 22, 2022
1 parent
877870f
commit ca8c884
Showing
3 changed files
with
117 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
id: PYSEC-0000-CVE-2022-23530 | ||
details: GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior | ||
to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted | ||
remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially | ||
malicious tarball without validating that the destination file path is within the | ||
intended destination directory can cause files outside the destination directory | ||
to be overwritten. This issue is patched in version 0.1.8. Potential workarounds | ||
include using a safer module, like zipfile, and validating the location of the extracted | ||
files and discarding those with malicious paths. | ||
affected: | ||
- package: | ||
name: guarddog | ||
ecosystem: PyPI | ||
purl: pkg:pypi/guarddog | ||
ranges: | ||
- type: GIT | ||
repo: https://github.com/DataDog/guarddog | ||
events: | ||
- introduced: "0" | ||
- fixed: 37c7d0767ba28f4df46117d478f97652594c491c | ||
- type: ECOSYSTEM | ||
events: | ||
- introduced: "0" | ||
- fixed: 0.1.8 | ||
references: | ||
- type: EVIDENCE | ||
url: https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158 | ||
- type: WEB | ||
url: https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158 | ||
- type: EVIDENCE | ||
url: https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v | ||
- type: ADVISORY | ||
url: https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v | ||
- type: FIX | ||
url: https://github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c | ||
aliases: | ||
- CVE-2022-23530 | ||
- GHSA-78m5-jpmf-ch7v | ||
modified: "2022-12-22T14:43:00Z" | ||
published: "2022-12-16T23:15:00Z" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
id: PYSEC-0000-CVE-2022-23531 | ||
details: GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior | ||
to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted | ||
local PyPI package. Running GuardDog against a specially-crafted package can allow | ||
an attacker to write an arbitrary file on the machine where GuardDog is executed | ||
due to a path traversal vulnerability when extracting the .tar.gz file of the package | ||
being scanned, which exists by design in the tarfile.TarFile.extractall function. | ||
This issue is patched in version 0.1.5. | ||
affected: | ||
- package: | ||
name: guarddog | ||
ecosystem: PyPI | ||
purl: pkg:pypi/guarddog | ||
ranges: | ||
- type: GIT | ||
repo: https://github.com/DataDog/guarddog | ||
events: | ||
- introduced: "0" | ||
- fixed: a56aff58264cb6b7855d71b00dc10c39a5dbd306 | ||
- type: ECOSYSTEM | ||
events: | ||
- introduced: "0" | ||
- fixed: 0.1.5 | ||
references: | ||
- type: WEB | ||
url: https://github.com/DataDog/guarddog/releases/tag/v0.1.5 | ||
- type: ADVISORY | ||
url: https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq | ||
- type: FIX | ||
url: https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306 | ||
- type: WEB | ||
url: https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306 | ||
aliases: | ||
- CVE-2022-23531 | ||
- GHSA-rp2v-v467-q9vq | ||
modified: "2022-12-22T14:43:00Z" | ||
published: "2022-12-17T00:15:00Z" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
id: PYSEC-0000-CVE-2022-4572 | ||
details: A vulnerability, which was classified as problematic, has been found in UBI | ||
Reader up to 0.8.0. Affected by this issue is the function ubireader_extract_files | ||
of the file ubireader/ubifs/output.py of the component UBIFS File Handler. The manipulation | ||
leads to path traversal. The attack may be launched remotely. Upgrading to version | ||
0.8.5 is able to address this issue. The name of the patch is d5d68e6b1b9f7070c29df5f67fc060f579ae9139. | ||
It is recommended to upgrade the affected component. VDB-216146 is the identifier | ||
assigned to this vulnerability. | ||
affected: | ||
- package: | ||
name: ubi-reader | ||
ecosystem: PyPI | ||
purl: pkg:pypi/ubi-reader | ||
ranges: | ||
- type: GIT | ||
repo: https://github.com/jrspruitt/ubi_reader | ||
events: | ||
- introduced: "0" | ||
- fixed: d5d68e6b1b9f7070c29df5f67fc060f579ae9139 | ||
- type: ECOSYSTEM | ||
events: | ||
- introduced: "0" | ||
- fixed: 0.8.2 | ||
references: | ||
- type: WEB | ||
url: https://github.com/jrspruitt/ubi_reader/releases/tag/v0.8.5-master | ||
- type: FIX | ||
url: https://github.com/jrspruitt/ubi_reader/commit/d5d68e6b1b9f7070c29df5f67fc060f579ae9139 | ||
- type: WEB | ||
url: https://vuldb.com/?id.216146 | ||
- type: REPORT | ||
url: https://github.com/jrspruitt/ubi_reader/pull/57 | ||
- type: FIX | ||
url: https://github.com/jrspruitt/ubi_reader/pull/57 | ||
- type: WEB | ||
url: https://github.com/jrspruitt/ubi_reader/pull/57 | ||
aliases: | ||
- CVE-2022-4572 | ||
modified: "2022-12-22T14:47:00Z" | ||
published: "2022-12-17T02:15:00Z" |