{"id":"PYSEC-2022-223","details":"mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive.","aliases":["CVE-2022-35410","GHSA-f33p-9287-h552"],"modified":"2023-11-08T04:09:50.900099Z","published":"2022-07-08T18:15:00Z","references":[{"type":"WEB","url":"https://0xacab.org/jvoisin/mat2/-/commit/beebca4bf1cd3b935824c966ce077e7bcf610385"},{"type":"WEB","url":"https://dustri.org/b/mat2-0130.html"},{"type":"WEB","url":"https://0xacab.org/jvoisin/mat2/-/issues/174"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-f33p-9287-h552"}],"affected":[{"package":{"name":"mat2","ecosystem":"PyPI","purl":"pkg:pypi/mat2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.13.0"}]}],"versions":["0.10.0","0.10.1","0.11.0","0.12.1","0.12.2","0.12.3","0.12.4","0.6.0","0.7.0","0.8.0","0.9.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mat2/PYSEC-2022-223.yaml"}}],"schema_version":"1.7.3"}