From ca8c88436e957403f7f0d42d50bd93a72ad5595f Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 22 Dec 2022 15:17:00 +0000 Subject: [PATCH] Auto import --- vulns/guarddog/PYSEC-0000-CVE-2022-23530.yaml | 40 +++++++++++++++++++ vulns/guarddog/PYSEC-0000-CVE-2022-23531.yaml | 37 +++++++++++++++++ .../ubi-reader/PYSEC-0000-CVE-2022-4572.yaml | 40 +++++++++++++++++++ 3 files changed, 117 insertions(+) create mode 100644 vulns/guarddog/PYSEC-0000-CVE-2022-23530.yaml create mode 100644 vulns/guarddog/PYSEC-0000-CVE-2022-23531.yaml create mode 100644 vulns/ubi-reader/PYSEC-0000-CVE-2022-4572.yaml diff --git a/vulns/guarddog/PYSEC-0000-CVE-2022-23530.yaml b/vulns/guarddog/PYSEC-0000-CVE-2022-23530.yaml new file mode 100644 index 00000000..3bc72519 --- /dev/null +++ b/vulns/guarddog/PYSEC-0000-CVE-2022-23530.yaml @@ -0,0 +1,40 @@ +id: PYSEC-0000-CVE-2022-23530 +details: GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior + to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted + remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially + malicious tarball without validating that the destination file path is within the + intended destination directory can cause files outside the destination directory + to be overwritten. This issue is patched in version 0.1.8. Potential workarounds + include using a safer module, like zipfile, and validating the location of the extracted + files and discarding those with malicious paths. +affected: +- package: + name: guarddog + ecosystem: PyPI + purl: pkg:pypi/guarddog + ranges: + - type: GIT + repo: https://github.com/DataDog/guarddog + events: + - introduced: "0" + - fixed: 37c7d0767ba28f4df46117d478f97652594c491c + - type: ECOSYSTEM + events: + - introduced: "0" + - fixed: 0.1.8 +references: +- type: EVIDENCE + url: https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158 +- type: WEB + url: https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158 +- type: EVIDENCE + url: https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v +- type: ADVISORY + url: https://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v +- type: FIX + url: https://github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c +aliases: +- CVE-2022-23530 +- GHSA-78m5-jpmf-ch7v +modified: "2022-12-22T14:43:00Z" +published: "2022-12-16T23:15:00Z" diff --git a/vulns/guarddog/PYSEC-0000-CVE-2022-23531.yaml b/vulns/guarddog/PYSEC-0000-CVE-2022-23531.yaml new file mode 100644 index 00000000..93f30f01 --- /dev/null +++ b/vulns/guarddog/PYSEC-0000-CVE-2022-23531.yaml @@ -0,0 +1,37 @@ +id: PYSEC-0000-CVE-2022-23531 +details: GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior + to 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted + local PyPI package. Running GuardDog against a specially-crafted package can allow + an attacker to write an arbitrary file on the machine where GuardDog is executed + due to a path traversal vulnerability when extracting the .tar.gz file of the package + being scanned, which exists by design in the tarfile.TarFile.extractall function. + This issue is patched in version 0.1.5. +affected: +- package: + name: guarddog + ecosystem: PyPI + purl: pkg:pypi/guarddog + ranges: + - type: GIT + repo: https://github.com/DataDog/guarddog + events: + - introduced: "0" + - fixed: a56aff58264cb6b7855d71b00dc10c39a5dbd306 + - type: ECOSYSTEM + events: + - introduced: "0" + - fixed: 0.1.5 +references: +- type: WEB + url: https://github.com/DataDog/guarddog/releases/tag/v0.1.5 +- type: ADVISORY + url: https://github.com/DataDog/guarddog/security/advisories/GHSA-rp2v-v467-q9vq +- type: FIX + url: https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306 +- type: WEB + url: https://github.com/DataDog/guarddog/pull/89/commits/a56aff58264cb6b7855d71b00dc10c39a5dbd306 +aliases: +- CVE-2022-23531 +- GHSA-rp2v-v467-q9vq +modified: "2022-12-22T14:43:00Z" +published: "2022-12-17T00:15:00Z" diff --git a/vulns/ubi-reader/PYSEC-0000-CVE-2022-4572.yaml b/vulns/ubi-reader/PYSEC-0000-CVE-2022-4572.yaml new file mode 100644 index 00000000..8744c44b --- /dev/null +++ b/vulns/ubi-reader/PYSEC-0000-CVE-2022-4572.yaml @@ -0,0 +1,40 @@ +id: PYSEC-0000-CVE-2022-4572 +details: A vulnerability, which was classified as problematic, has been found in UBI + Reader up to 0.8.0. Affected by this issue is the function ubireader_extract_files + of the file ubireader/ubifs/output.py of the component UBIFS File Handler. The manipulation + leads to path traversal. The attack may be launched remotely. Upgrading to version + 0.8.5 is able to address this issue. The name of the patch is d5d68e6b1b9f7070c29df5f67fc060f579ae9139. + It is recommended to upgrade the affected component. VDB-216146 is the identifier + assigned to this vulnerability. +affected: +- package: + name: ubi-reader + ecosystem: PyPI + purl: pkg:pypi/ubi-reader + ranges: + - type: GIT + repo: https://github.com/jrspruitt/ubi_reader + events: + - introduced: "0" + - fixed: d5d68e6b1b9f7070c29df5f67fc060f579ae9139 + - type: ECOSYSTEM + events: + - introduced: "0" + - fixed: 0.8.2 +references: +- type: WEB + url: https://github.com/jrspruitt/ubi_reader/releases/tag/v0.8.5-master +- type: FIX + url: https://github.com/jrspruitt/ubi_reader/commit/d5d68e6b1b9f7070c29df5f67fc060f579ae9139 +- type: WEB + url: https://vuldb.com/?id.216146 +- type: REPORT + url: https://github.com/jrspruitt/ubi_reader/pull/57 +- type: FIX + url: https://github.com/jrspruitt/ubi_reader/pull/57 +- type: WEB + url: https://github.com/jrspruitt/ubi_reader/pull/57 +aliases: +- CVE-2022-4572 +modified: "2022-12-22T14:47:00Z" +published: "2022-12-17T02:15:00Z"