CVE-2022-23531: 
Python vulnerability analysis and mitigation

GuardDog, a CLI tool designed to identify malicious PyPI packages, was found to contain a Relative Path Traversal vulnerability (CVE-2022-23531) affecting versions prior to 0.1.5. The vulnerability was discovered and disclosed in December 2022, impacting the package scanning functionality when examining specially-crafted local PyPI packages (NVD).

The vulnerability exists due to a path traversal issue when extracting .tar.gz files of packages being scanned, which is inherent in the tarfile.TarFile.extractall function. The issue received a CVSS v3.1 Base Score of 7.8 (HIGH) from NIST NVD with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while GitHub assessed it with a score of 5.8 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

When exploited, this vulnerability allows an attacker to write arbitrary files on the machine where GuardDog is executed. This occurs when GuardDog scans a specially-crafted package, potentially leading to significant security compromises on the affected system (GitHub Advisory).

The vulnerability was patched in GuardDog version 0.1.5. The fix involved replacing the built-in tarfile module with the tarsafe library for extracting archives, which provides better security against path traversal attacks (GitHub Release, GitHub Patch).