9.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31506

CVE-2022-31506: SatyaLab opendiamond 10.1.1 vulnerable to path traversal because Flask send_file function used unsafely

The cmusatyalab/opendiamond repository through 10.1.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. A patch is available on the master branch of the repository.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-31506

CVE-2022-31506:

9.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
opendiamond	pip	<= 10.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using os.path.join() with untrusted input to construct filesystem paths passed to Flask's send_file. The commit patching this issue systematically replaces os.path.join() with werkzeug.security.safe_join across multiple files, indicating these were all vulnerable path construction points. Each identified function handles user-controllable path components (obj_path, rel_path) and constructs absolute paths without proper validation, enabling attackers to escape the restricted directory via absolute paths or directory traversal sequences. The high confidence comes from: 1) Explicit replacement of os.path.join in the security fix 2) Direct connection between these functions and send_file usage 3) CWE-22 pattern matching for path traversal vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31506: SatyaLab opendiamond 10.1.1 vulnerable to path traversal because Flask send_file function used unsafely

CVE-2022-31506:

9.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.3

9.3

Basic Information

Basic Information

Technical Details

CVE-2022-31506: SatyaLab opendiamond 10.1.1 vulnerable to path traversal because Flask send_file function used unsafely

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI