CVE-2022-23522 – Arbitrary File Write when Extracting Tarballs retrieved from a remote location using in mindsdb

https://notcve.org/view.php?id=CVE-2022-23522

MindsDB is an open source machine learning platform. An unsafe extraction is being performed using `shutil.unpack_archive()` from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a **TarSlip** or a **ZipSlip variant**. Unpacking files using the high-level function `shutil.unpack_archive()` from a potentially malicious tarball without validating that the destination file path remained within the intended destination directory may cause files to be overwritten outside the destination directory. • https://github.com/mindsdb/mindsdb/security/advisories/GHSA-7x45-phmr-9wqp • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •