{"id":"CVE-2022-31503","details":"The orchest/orchest repository before 2022.05.0 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.","modified":"2026-04-10T04:48:00.183297Z","published":"2022-07-11T01:15:08.127Z","references":[{"type":"ADVISORY","url":"https://github.com/orchest/orchest/releases/tag/v2022.05.0"},{"type":"REPORT","url":"https://github.com/github/securitylab/issues/669#issuecomment-1117265726"},{"type":"FIX","url":"https://github.com/orchest/orchest/pull/913"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/orchest/orchest","events":[{"introduced":"0"},{"fixed":"5a46d528148fa12e767fc4d906fb5725fb4eea14"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2022.05.0"}]}}],"versions":["v0.2.1-alpha","v0.2.3","v0.2.4","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.3.5","v0.3.6","v0.3.7","v0.3.8","v0.3.9","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.6.0","v0.6.1","v0.7.0","v0.9.0","v0.9.2","v0.9.3","v0.9.4","v0.9.5","v0.9.6","v2021.03.0","v2021.03.1","v2021.03.10","v2021.03.2","v2021.03.3","v2021.03.4","v2021.03.5","v2021.03.6","v2021.03.7","v2021.03.8","v2021.03.9","v2021.04.01","v2021.04.02","v2021.04.03","v2021.04.04","v2021.04.10","v2021.04.11","v2021.04.8","v2021.04.9","v2021.05.0","v2021.05.1","v2021.06.0","v2021.06.1","v2021.06.2","v2021.06.3","v2021.06.4","v2021.06.5","v2021.06.6","v2021.06.7","v2021.06.8","v2021.07.1","v2021.07.2","v2021.07.3","v2021.08.1","v2021.08.2","v2021.08.3","v2021.08.4","v2021.09.0","v2021.09.1","v2021.09.10","v2021.09.2","v2021.09.3","v2021.09.4","v2021.09.5","v2021.09.6","v2021.09.7","v2021.09.8","v2021.09.9","v2021.10.0","v2021.10.1","v2021.10.2","v2021.11.0","v2021.11.1","v2021.11.2","v2021.11.3","v2021.11.4","v2021.12.0","v2021.12.1","v2021.12.2","v2021.12.3","v2022.01.0","v2022.01.1","v2022.01.2","v2022.01.3","v2022.02.1","v2022.02.2","v2022.02.3","v2022.02.4","v2022.02.5","v2022.02.6","v2022.02.7","v2022.02.8","v2022.02.9","v2022.03.0","v2022.03.1","v2022.03.10","v2022.03.2","v2022.03.3","v2022.03.4","v2022.03.5","v2022.03.6","v2022.03.7","v2022.03.8","v2022.03.9","v2022.04.0","v2022.04.1","v2022.04.2","v2022.04.3","v2022.04.4","v2022.04.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31503.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L"}]}