CVE-2022-23530

Name of the Vulnerable Software and Affected Versions GuardDog versions prior to v0.1.8

Description GuardDog is a CLI tool to identify malicious PyPI packages. The issue arises when extracting files using shutil.unpack archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory, which can cause files outside the destination directory to be overwritten. This can be exploited by an attacker crafting a malicious tarball with a filename path, such as ../../../../../../../../etc/passwd, and serving the archive remotely, thus providing a possibility to overwrite system files.

Recommendations To resolve the issue, update to version 0.1.8 or later. As a temporary workaround, consider using a safer module, like zipfile, and validate the location of the extracted files, discarding those with malicious paths such as a relative path .. or absolute ones.