CVE-2022-31507 (High) detected in ganga-8.5.9.tar.gz - autoclosed

[mend-for-github-com[bot]]

CVE-2022-31507 - High Severity Vulnerability

Vulnerable Library - ganga-8.5.9.tar.gz

Job management tool

Library home page: https://files.pythonhosted.org/packages/6e/85/9d7e7eb7551f9a4c76317a6efd5ac613e8b66c039026a6cdecc05c192ce8/ganga-8.5.9.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **ganga-8.5.9.tar.gz** (Vulnerable Library)

Found in HEAD commit: 85f56e10156087bb76d88c8d68df7a3498c64cd7

Found in base branch: main

Vulnerability Details

The ganga-devs/ganga repository before 8.5.10 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

Publish Date: 2022-07-11

URL: CVE-2022-31507

CVSS 3 Score Details (9.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-7488-6x3r-23w5

Release Date: 2022-07-11

Fix Resolution: ganga - 8.5.10

---

:rescue_worker_helmet: Automatic Remediation is available for this issue

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.