GuardDog is a CLI tool to identify malicious PyPI packages. Versions before 0.1.5 are vulnerable to Relative Path Traversal when scanning a specially-crafted local PyPI package. Running GuardDog against a specially-crafted package can allow an malicious user to write an arbitrary file on the machine where GuardDog is executed due to a path traversal vulnerability when extracting the .tar.gz file of the package being scanned, which exists by design in the tarfile.TarFile.extractall function. This issue is patched in version 0.1.5.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
datadoghq guarddog |