{"id":"PYSEC-2022-225","details":"The ganga-devs/ganga repository before 8.5.10 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.","aliases":["CVE-2022-31507","GHSA-7488-6x3r-23w5"],"modified":"2023-11-08T04:09:30.981496Z","published":"2022-07-11T01:15:00Z","references":[{"type":"FIX","url":"https://github.com/ganga-devs/ganga/commit/730e7aba192407d35eb37dd7938d49071124be8c"},{"type":"WEB","url":"https://github.com/ganga-devs/ganga/releases/tag/8.5.10"},{"type":"REPORT","url":"https://github.com/github/securitylab/issues/669#issuecomment-1117265726"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-7488-6x3r-23w5"}],"affected":[{"package":{"name":"ganga","ecosystem":"PyPI","purl":"pkg:pypi/ganga"},"ranges":[{"type":"GIT","repo":"https://github.com/ganga-devs/ganga","events":[{"introduced":"0"},{"fixed":"730e7aba192407d35eb37dd7938d49071124be8c"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.5.10"}]}],"versions":["6.1.15","6.1.16","6.1.17","6.1.18","6.1.19","6.1.20","6.1.21","6.1.22","6.1.23","6.1.24","6.1.25","6.2.0","6.2.1","6.2.2","6.2.3","6.3.0","6.3.1","6.4.0","6.5.0","6.5.1","6.5.2","6.6.0","6.6.1","6.6.2","6.6.3","6.6.4","6.7.0","6.7.1","6.7.2","6.7.3","6.7.4","7.0.0","7.0.1","7.0.2","7.0.3","7.0.4","7.1.0","7.1.1","7.1.10","7.1.11","7.1.12","7.1.13","7.1.14","7.1.15","7.1.3","7.1.4","7.1.5","7.1.6","7.1.7","7.1.8","7.1.9","8.0.0","8.0.1","8.0.2","8.0.3","8.1.0","8.2.0","8.2.1","8.2.2","8.2.3","8.2.4","8.3.0","8.3.1","8.3.2","8.3.3","8.3.4","8.3.4rc0","8.3.5","8.4.0","8.4.1","8.4.2","8.4.4","8.4.5","8.4.6","8.4.7","8.4.8","8.5.0","8.5.1","8.5.2","8.5.3","8.5.4","8.5.5","8.5.6","8.5.7","8.5.8","8.5.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ganga/PYSEC-2022-225.yaml"}}],"schema_version":"1.7.3"}