The cmusatyalab/opendiamond repository through 10.1.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. A patch is available on the master branch of the repository.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-31506
- https://github.com/github/securitylab/issues/669#issuecomment-1117265726
- https://github.com/cmusatyalab/opendiamond/commit/398049c187ee644beabab44d6fece82251c1ea56
- https://github.com/cmusatyalab/opendiamond/issues/52
- https://github.com/advisories/GHSA-x2pc-fqrw-hc7f