Vulnerability Details CVE-2022-31503
The orchest/orchest repository before 2022.05.0 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 30.3%
CVSS Severity
CVSS v3 Score 9.3
CVSS v2 Score 6.4
References
- https://github.com/github/securitylab/issues/669#issuecomment-1117265726
- https://github.com/orchest/orchest/pull/913
- https://github.com/orchest/orchest/releases/tag/v2022.05.0
- https://github.com/github/securitylab/issues/669#issuecomment-1117265726
- https://github.com/orchest/orchest/pull/913
- https://github.com/orchest/orchest/releases/tag/v2022.05.0
Products affected by CVE-2022-31503
-
cpe:2.3:a:orchest:orchest:0.2.1
-
cpe:2.3:a:orchest:orchest:0.2.3
-
cpe:2.3:a:orchest:orchest:0.2.4
-
cpe:2.3:a:orchest:orchest:0.3.0
-
cpe:2.3:a:orchest:orchest:0.3.1
-
cpe:2.3:a:orchest:orchest:0.3.2
-
cpe:2.3:a:orchest:orchest:0.3.3
-
cpe:2.3:a:orchest:orchest:0.3.4
-
cpe:2.3:a:orchest:orchest:0.3.5
-
cpe:2.3:a:orchest:orchest:0.3.6
-
cpe:2.3:a:orchest:orchest:0.3.7
-
cpe:2.3:a:orchest:orchest:0.3.8
-
cpe:2.3:a:orchest:orchest:0.3.9
-
cpe:2.3:a:orchest:orchest:0.4.0
-
cpe:2.3:a:orchest:orchest:0.4.1
-
cpe:2.3:a:orchest:orchest:0.4.2
-
cpe:2.3:a:orchest:orchest:0.5.0
-
cpe:2.3:a:orchest:orchest:0.6.0
-
cpe:2.3:a:orchest:orchest:0.6.1
-
cpe:2.3:a:orchest:orchest:0.7.0
-
cpe:2.3:a:orchest:orchest:0.8.0
-
cpe:2.3:a:orchest:orchest:0.9.0
-
cpe:2.3:a:orchest:orchest:0.9.1
-
cpe:2.3:a:orchest:orchest:0.9.2
-
cpe:2.3:a:orchest:orchest:0.9.3
-
cpe:2.3:a:orchest:orchest:0.9.4
-
cpe:2.3:a:orchest:orchest:0.9.5
-
cpe:2.3:a:orchest:orchest:0.9.6
-
cpe:2.3:a:orchest:orchest:2021.03.0
-
cpe:2.3:a:orchest:orchest:2021.03.1
-
cpe:2.3:a:orchest:orchest:2021.03.10
-
cpe:2.3:a:orchest:orchest:2021.03.2
-
cpe:2.3:a:orchest:orchest:2021.03.3
-
cpe:2.3:a:orchest:orchest:2021.03.4
-
cpe:2.3:a:orchest:orchest:2021.03.5
-
cpe:2.3:a:orchest:orchest:2021.03.6
-
cpe:2.3:a:orchest:orchest:2021.03.7
-
cpe:2.3:a:orchest:orchest:2021.03.8
-
cpe:2.3:a:orchest:orchest:2021.03.9
-
cpe:2.3:a:orchest:orchest:2021.04.01
-
cpe:2.3:a:orchest:orchest:2021.04.02
-
cpe:2.3:a:orchest:orchest:2021.04.03
-
cpe:2.3:a:orchest:orchest:2021.04.04
-
cpe:2.3:a:orchest:orchest:2021.04.05
-
cpe:2.3:a:orchest:orchest:2021.04.06
-
cpe:2.3:a:orchest:orchest:2021.04.10
-
cpe:2.3:a:orchest:orchest:2021.04.11
-
cpe:2.3:a:orchest:orchest:2021.04.7
-
cpe:2.3:a:orchest:orchest:2021.04.8
-
cpe:2.3:a:orchest:orchest:2021.04.9
-
cpe:2.3:a:orchest:orchest:2021.05.0
-
cpe:2.3:a:orchest:orchest:2021.05.1
-
cpe:2.3:a:orchest:orchest:2021.06.0
-
cpe:2.3:a:orchest:orchest:2021.06.1
-
cpe:2.3:a:orchest:orchest:2021.06.2
-
cpe:2.3:a:orchest:orchest:2021.06.3
-
cpe:2.3:a:orchest:orchest:2021.06.4
-
cpe:2.3:a:orchest:orchest:2021.06.5
-
cpe:2.3:a:orchest:orchest:2021.06.6
-
cpe:2.3:a:orchest:orchest:2021.06.7
-
cpe:2.3:a:orchest:orchest:2021.06.8
-
cpe:2.3:a:orchest:orchest:2021.07.1
-
cpe:2.3:a:orchest:orchest:2021.07.2
-
cpe:2.3:a:orchest:orchest:2021.07.3
-
cpe:2.3:a:orchest:orchest:2021.08.1
-
cpe:2.3:a:orchest:orchest:2021.08.2
-
cpe:2.3:a:orchest:orchest:2021.08.3
-
cpe:2.3:a:orchest:orchest:2021.08.4
-
cpe:2.3:a:orchest:orchest:2021.09.0
-
cpe:2.3:a:orchest:orchest:2021.09.1
-
cpe:2.3:a:orchest:orchest:2021.09.10
-
cpe:2.3:a:orchest:orchest:2021.09.2
-
cpe:2.3:a:orchest:orchest:2021.09.3
-
cpe:2.3:a:orchest:orchest:2021.09.4
-
cpe:2.3:a:orchest:orchest:2021.09.5
-
cpe:2.3:a:orchest:orchest:2021.09.6
-
cpe:2.3:a:orchest:orchest:2021.09.7
-
cpe:2.3:a:orchest:orchest:2021.09.8
-
cpe:2.3:a:orchest:orchest:2021.09.9
-
cpe:2.3:a:orchest:orchest:2021.10.0
-
cpe:2.3:a:orchest:orchest:2021.10.1
-
cpe:2.3:a:orchest:orchest:2021.10.2
-
cpe:2.3:a:orchest:orchest:2021.11.0
-
cpe:2.3:a:orchest:orchest:2021.11.1
-
cpe:2.3:a:orchest:orchest:2021.11.2
-
cpe:2.3:a:orchest:orchest:2021.11.3
-
cpe:2.3:a:orchest:orchest:2021.11.4
-
cpe:2.3:a:orchest:orchest:2021.12.0
-
cpe:2.3:a:orchest:orchest:2021.12.1
-
cpe:2.3:a:orchest:orchest:2021.12.2
-
cpe:2.3:a:orchest:orchest:2021.12.3
-
cpe:2.3:a:orchest:orchest:2022.01.0
-
cpe:2.3:a:orchest:orchest:2022.01.1
-
cpe:2.3:a:orchest:orchest:2022.01.2
-
cpe:2.3:a:orchest:orchest:2022.01.3
-
cpe:2.3:a:orchest:orchest:2022.02.1
-
cpe:2.3:a:orchest:orchest:2022.02.2
-
cpe:2.3:a:orchest:orchest:2022.02.3
-
cpe:2.3:a:orchest:orchest:2022.02.4
-
cpe:2.3:a:orchest:orchest:2022.02.5
-
cpe:2.3:a:orchest:orchest:2022.02.6
-
cpe:2.3:a:orchest:orchest:2022.02.7
-
cpe:2.3:a:orchest:orchest:2022.02.8
-
cpe:2.3:a:orchest:orchest:2022.02.9
-
cpe:2.3:a:orchest:orchest:2022.03.0
-
cpe:2.3:a:orchest:orchest:2022.03.1
-
cpe:2.3:a:orchest:orchest:2022.03.10
-
cpe:2.3:a:orchest:orchest:2022.03.2
-
cpe:2.3:a:orchest:orchest:2022.03.3
-
cpe:2.3:a:orchest:orchest:2022.03.4
-
cpe:2.3:a:orchest:orchest:2022.03.5
-
cpe:2.3:a:orchest:orchest:2022.03.6
-
cpe:2.3:a:orchest:orchest:2022.03.7
-
cpe:2.3:a:orchest:orchest:2022.03.8
-
cpe:2.3:a:orchest:orchest:2022.03.9
-
cpe:2.3:a:orchest:orchest:2022.04.0
-
cpe:2.3:a:orchest:orchest:2022.04.1
-
cpe:2.3:a:orchest:orchest:2022.04.2
-
cpe:2.3:a:orchest:orchest:2022.04.3
-
cpe:2.3:a:orchest:orchest:2022.04.4
-
cpe:2.3:a:orchest:orchest:2022.04.5