GHSA-7488-6x3r-23w5

Source

https://github.com/advisories/GHSA-7488-6x3r-23w5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-7488-6x3r-23w5/GHSA-7488-6x3r-23w5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7488-6x3r-23w5

Aliases

Published

2022-07-13T15:43:03Z

Modified

2025-02-21T05:31:10.336541Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L CVSS Calculator
9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L CVSS Calculator

Summary

Ganga allows absolute path traversal

Details

The ganga-devs/ganga repository before 8.5.10 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

Database specific

{
    "nvd_published_at": "2022-07-11T01:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-13T15:43:03Z"
}

References

Affected packages

PyPI / ganga

Package

Name: ganga; View open source insights on deps.dev
Purl: pkg:pypi/ganga

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.10

Affected versions

6.*

6.1.15

6.1.16

6.1.17

6.1.18

6.1.19

6.1.20

6.1.21

6.1.22

6.1.23

6.1.24

6.1.25

6.2.0

6.2.1

6.2.2

6.2.3

6.3.0

6.3.1

6.4.0

6.5.0

6.5.1

6.5.2

6.6.0

6.6.1

6.6.2

6.6.3

6.6.4

6.7.0

6.7.1

6.7.2

6.7.3

6.7.4

7.*

7.0.0

7.0.1

7.0.2

7.0.3

7.0.4

7.1.0

7.1.1

7.1.3

7.1.4

7.1.5

7.1.6

7.1.7

7.1.8

7.1.9

7.1.10

7.1.11

7.1.12

7.1.13

7.1.14

7.1.15

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4rc0

8.3.4

8.3.5

8.4.0

8.4.1

8.4.2

8.4.4

8.4.5

8.4.6

8.4.7

8.4.8

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9