CVE-2022-31507: 
Python vulnerability analysis and mitigation

The ganga-devs/ganga repository before version 8.5.10 contained a path traversal vulnerability (CVE-2022-31507) due to unsafe usage of the Flask send_file function. The vulnerability was discovered and disclosed in June 2022, affecting the web interface component of the Ganga software (NIST NVD, CISA Bulletin).

The vulnerability stems from improper validation of user input in the jobbrowse function where os.path.join is used unsafely with the Flask sendfile function. When os.path.join encounters an absolute path, it ignores all previous parameters, allowing attackers to traverse directories outside the intended web root folder. The vulnerability has a CVSS v3.1 base score of 6.4, indicating moderate severity (NIST NVD, GitHub Commit).

The vulnerability allows remote attackers to access files and directories stored outside the web root folder through path traversal techniques. This could potentially expose sensitive system files, application source code, and configuration files. The attack can affect components outside the scope of the target module and can be used to gain access to confidential files like passwords and login credentials (GitHub Commit).

The vulnerability was fixed in version 8.5.10 by replacing the unsafe os.path.join call with werkzeug.utils.safejoin. For applications requiring similar functionality, it is recommended to either use werkzeug.utils.safejoin for joining untrusted paths or replace flask.sendfile calls with flask.sendfrom_directory calls (GitHub Release, GitHub Commit).