Bloomreach

Bloomreach Documentation version

Vulnerabilities disclosed in Commercetools 

Issue date: 14-12-2022
Affects versions: 14.7, 13.4

Security Issue ID

SECURITY-351

 

Affected Product Version(s)

14.7.13, 13.4.21 and previous releases.


Severity 

Critical


Description

CVE-2022-31547  suppress

The noamezekiel/sphere repository through 2020-05-31 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv2:

  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSSv3:

  • Base Score: CRITICAL (9.3)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 14.7.13 or 13.4.22.