CVE-2022-36007

Name of the Vulnerable Software and Affected Versions Venice versions prior to 1.10.18

Description A partial path traversal issue exists within the functions load-file and load-resource. These functions can be limited to load files from a list of load paths. When passing absolute paths to these two vulnerable functions, Venice may return files outside the configured load paths. This issue’s scope is limited to absolute paths whose name prefix matches a load path.

Recommendations Upgrade to Venice >= 1.10.18, if you are on a version < 1.10.18. As a temporary workaround, consider controlling the functions that can be used in Venice with a sandbox and blacklisting the functions load-file and load-resource in the sandbox, if upgrading is not possible.