Miggo Logo

CVE-2022-31506: SatyaLab opendiamond 10.1.1 vulnerable to path traversal because Flask send_file function used unsafely

9.3

CVSS Score
3.1

Basic Information

EPSS Score
0.28097%
Published
7/12/2022
Updated
9/2/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
opendiamondpip<= 10.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using os.path.join() with untrusted input to construct filesystem paths passed to Flask's send_file. The commit patching this issue systematically replaces os.path.join() with werkzeug.security.safe_join across multiple files, indicating these were all vulnerable path construction points. Each identified function handles user-controllable path components (obj_path, rel_path) and constructs absolute paths without proper validation, enabling attackers to escape the restricted directory via absolute paths or directory traversal sequences. The high confidence comes from: 1) Explicit replacement of os.path.join in the security fix 2) Direct connection between these functions and send_file usage 3) CWE-22 pattern matching for path traversal vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *mus*ty*l**/op*n*i*mon* r*pository t*rou** **.*.* on *it*u* *llows **solut* p*t* tr*v*rs*l ****us* t** *l*sk s*n*_*il* *un*tion is us** uns***ly. * p*t** is *v*il**l* on t** `m*st*r` *r*n** o* t** r*pository.

Reasoning

T** vuln*r**ility st*ms *rom usin* os.p*t*.join() wit* untrust** input to *onstru*t *il*syst*m p*t*s p*ss** to *l*sk's s*n*_*il*. T** *ommit p*t**in* t*is issu* syst*m*ti**lly r*pl***s os.p*t*.join() wit* w*rkz*u*.s**urity.s***_join **ross multipl* *