Vulnerabilities disclosed in CommercetoolsIssue date: 14-12-2022
Affects versions: 14.7, 13.4
Security Issue ID
Affected Product Version(s)
14.7.13, 13.4.21 and previous releases.
The noamezekiel/sphere repository through 2020-05-31 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Base Score: MEDIUM (6.4)
- Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:P
- Base Score: CRITICAL (9.3)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Customers are recommended to upgrade to the latest version. As of the time of writing, 14.7.13 or 13.4.22.