Path traversal in GuardDog - CVE-2022-23530

 

Path traversal in GuardDog - CVE-2022-23530

Published: February 16, 2023


Vulnerability identifier: #VU72326
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-23530
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: DataDog
Affected software:
GuardDog

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error when extracting files using the shutil.unpack_archive() function. A remote attacker can pass a specially crafted archive to the application and write files to an arbitrary location on the system.

Successful exploitation of the vulnerability may allows an attacker to compromise the affected system.


How to mitigate CVE-2022-23530

Install update from vendor's website.

Sources