PT-2022-20823 · Pleomax00 · Flask-Mongo-Skel

Ghost

Published

2022-07-11

Updated

2022-07-15

CVE-2022-31551

CVSS v3.1

9.3

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Name of the Vulnerable Software and Affected Versions pleomax00/flask-mongo-skel versions through 2012-11-01

Description The issue allows absolute path traversal due to the unsafe use of the Flask send file function. This enables potential access to sensitive files outside the intended directory.

Recommendations For versions through 2012-11-01, consider restricting access to the send file function until a safer implementation is available. As a temporary workaround, avoid using the send file function for sensitive files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2022-31551

Affected Products

Flask-Mongo-Skel

PT-2022-20823 · Pleomax00 · Flask-Mongo-Skel

CVE-2022-31551

Weakness Enumeration

Related Identifiers

Affected Products

References · 4