Skip to content

Ganga allows absolute path traversal

Critical severity GitHub Reviewed Published Jul 13, 2022 to the GitHub Advisory Database • Updated Sep 7, 2023

Package

pip ganga (pip)

Affected versions

< 8.5.10

Patched versions

8.5.10

Description

The ganga-devs/ganga repository before 8.5.10 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

References

Published by the National Vulnerability Database Jul 11, 2022
Published to the GitHub Advisory Database Jul 13, 2022
Reviewed Jul 13, 2022
Last updated Sep 7, 2023

Severity

Critical
9.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Weaknesses

CVE ID

CVE-2022-31507

GHSA ID

GHSA-7488-6x3r-23w5

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.