CVE-2022-23530
MEDIUM5.8EPSS 0.81%GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
描述
### Summary Unsafe extracting using `shutil.unpack_archive()` from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination. ### Details Extracting files using `shutil.unpack_archive()` from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. The vulnerable code snippet is between [L153..158](https://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158). ```python response = requests.get(url, stream=True) with open(zippath, "wb") as f: f.write(response.raw.read()) shutil.unpack_archive(zippath, unzippedpath) ``` It seems that a remotely retrieved tarball which could be with the extension `.tar.gz` happens to be unpacked using `shutil.unpack_archive()` with no destination verification/limitation of the extracted files. ### PoC The PoC provided showcases the risk of extracting the non-harmless text file `sim4n6.txt` to a parent location rather than the current folder. ```bash > tar --list -f archive.tar tar: Removing leading `../../../' from member names ../../../sim4n6.txt > python3 Python 3.10.6 (main, Nov 2 2022, 18:53:38) [GCC 11.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import shutil >>> shutil.unpack_archive("archive.tar") >>> exit() > file ../../../sim4n6.txt ../../../sim4n6.txt: ASCII text ``` ### A Potential Attack Scenario - An attacker may craft a malicious tarball with a filename path, such as `../../../../../../../../etc/passwd`, and then serve the archive remotely, thus, providing a possibility to overwrite the system files. ### Mitigation Potential mitigation could be to: - Use a safer module, like `zipfile`. - Validate the location of the extracted files and discard those with malicious paths such as a relative path `..` or absolute ones.
受影響套件(2)
- PyPI/guarddogfrom 0, < 0.1.8
- PyPI/guarddogfrom 0, < 37c7d0767ba28f4df46117d478f97652594c491c | from 0, < 0.1.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L |
| osv | CVSS 3.1 | MEDIUM5.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23530
- PATCHhttps://github.com/DataDog/guarddog
- WEBhttps://github.com/DataDog/guarddog/blob/a1d064ceb09d39bb28deb6972bc0a278756ea91f/guarddog/scanners/package_scanner.py#L153..158
- WEBhttps://github.com/DataDog/guarddog/commit/37c7d0767ba28f4df46117d478f97652594c491c
- WEBhttps://github.com/DataDog/guarddog/security/advisories/GHSA-78m5-jpmf-ch7v
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/guarddog/PYSEC-2022-42993.yaml