VYPR
← All advisories
Critical severityNVD Advisory· Published Jul 11, 2022· Updated Aug 3, 2024

CVE-2022-31506

CVE-2022-31506

Description

The cmusatyalab/opendiamond repository through 10.1.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Absolute path traversal in cmusatyalab/opendiamond <=10.1.1 due to unsafe use of os.path.join with Flask's send_file, allowing attackers to read arbitrary files.

The vulnerability exists in the opendiamond repository up to version 10.1.1 (commit 398049c). The root cause is the use of os.path.join with attacker-controlled obj_path parameters in multiple dataretriever backend files (e.g., dataretriever.py, cocktail.py). When os.path.join encounters an absolute path (e.g., /etc/passwd), it discards all previous path components, allowing path traversal outside the intended data directory [1][3]. The unsafe path is then passed to Flask's send_file function, which serves the file without further validation.

How it is exploited

An unauthenticated attacker can exploit this by sending a crafted HTTP GET request to the endpoint /obj/<path:obj_path> with an absolute path. For example, curl --path-as-is 'http:///obj//../../../../etc/passwd' would retrieve /etc/passwd [3]. No authentication is required, and the attack can be performed remotely if the service is exposed. The CVSS base score is 9.8 (Critical), reflecting the low attack complexity and network attack vector [2].

Impact

Successful exploitation allows an attacker to read arbitrary files on the server filesystem, including application source code, configuration files, and sensitive system files like /etc/passwd. This can lead to information disclosure and potentially further compromise of the host system [3].

Mitigation

The vulnerability was patched in commit 398049c by replacing os.path.join with safe_join from werkzeug.security, which prevents path traversal by rejecting paths containing .. sequences or absolute components [1]. All users should update to a version containing this fix or apply the patch manually.

References
  1. Fix path traversal issues in all dataretriever backends · cmusatyalab/opendiamond@398049c
  2. NVD - CVE-2022-31506
  3. Security Vulnerability Found · Issue #52 · cmusatyalab/opendiamond

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
opendiamondPyPI
<= 10.1.1

Affected products

3

Patches

1
398049c187ee

Fix path traversal issues in all dataretriever backends

https://github.com/cmusatyalab/opendiamondJan HarkesMay 4, 2022via ghsa
commit
6 files changed · +19 13
  • opendiamond/dataretriever/augment_store.py+1 1 modified
    @@ -24,7 +24,7 @@
 from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
     jsonify
 from werkzeug.datastructures import Headers
-from werkzeug.utils import safe_join
+from werkzeug.security import safe_join
 from opendiamond.dataretriever.util import read_file_list, write_data
  • opendiamond/dataretriever/diamond_store.py+3 2 modified
    @@ -17,6 +17,7 @@
 from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
     jsonify
 from werkzeug.datastructures import Headers
+from werkzeug.security import safe_join
 
 from opendiamond.dataretriever.util import ATTR_SUFFIX
 
@@ -120,11 +121,11 @@ def _get_object_src_uri(object_path):
 
 
 def _get_obj_absolute_path(obj_path):
-    return os.path.join(DATAROOT, obj_path)
+    return safe_join(DATAROOT, obj_path)
 
 
 def _get_index_absolute_path(index):
-    return os.path.join(INDEXDIR, index)
+    return safe_join(INDEXDIR, index)
 
 
 @scope_blueprint.route('/obj/<path:obj_path>')
  • opendiamond/dataretriever/mixer_store.py+3 2 modified
    @@ -24,6 +24,7 @@
 from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
     jsonify
 from werkzeug.datastructures import Headers
+from werkzeug.security import safe_join
 
 BASEURL = 'cocktail'
 STYLE = False
@@ -249,11 +250,11 @@ def _get_obj_path(obj_path):
     return obj_path.replace(DATAROOT+'/', '')
 
 def _get_obj_absolute_path(obj_path):
-    return os.path.join(DATAROOT, obj_path)
+    return safe_join(DATAROOT, obj_path)
 
 
 def _get_index_absolute_path(index):
-    return os.path.join(INDEXDIR, index)
+    return safe_join(INDEXDIR, index)
 
 
 @scope_blueprint.route('/obj/<path:obj_path>')
  • opendiamond/dataretriever/test_store.py+4 2 modified
    @@ -24,6 +24,8 @@
 from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
     jsonify
 from werkzeug.datastructures import Headers
+from werkzeug.security import safe_join
+
 from opendiamond.dataretriever.test_utils import *
 
 
@@ -279,11 +281,11 @@ def _get_obj_path(obj_path):
     return obj_path.replace(DATAROOT+'/', '')
 
 def _get_obj_absolute_path(obj_path):
-    return os.path.join(DATAROOT, obj_path)
+    return safe_join(DATAROOT, obj_path)
 
 
 def _get_index_absolute_path(index):
-    return os.path.join(INDEXDIR, index)
+    return safe_join(INDEXDIR, index)
 
 
 @scope_blueprint.route('/obj/<path:obj_path>')
  • opendiamond/dataretriever/video_store.py+3 2 modified
    @@ -21,6 +21,7 @@
 from flask import Blueprint, Response, request, stream_with_context, url_for
 from opendiamond.dataretriever.util import DiamondTextAttr
 from werkzeug.datastructures import Headers
+from werkzeug.security import safe_join
 
 # IMPORTANT: requires ffmpeg >= 3.3. Lower versions produce incorrect clipping.
 
@@ -122,11 +123,11 @@ def _get_object_element(start, span, video):
 
 
 def _get_obj_absolute_path(obj_path):
-    return os.path.join(DATAROOT, obj_path)
+    return safe_join(DATAROOT, obj_path)
 
 
 def _get_index_absolute_path(index):
-    return os.path.join(INDEXDIR, index)
+    return safe_join(INDEXDIR, index)
 
 
 def _ffprobe(video_path):
  • opendiamond/dataretriever/yfcc100m_mysql_store.py+5 4 modified
    @@ -29,6 +29,7 @@
 import logging
 import mysql.connector
 from werkzeug.datastructures import Headers
+from werkzeug.security import safe_join
 from xml.sax.saxutils import quoteattr
 
 BASEURL = 'yfcc100m_mysql'
@@ -124,7 +125,7 @@ def get_object_id(dataset, seq_no):
 
 @scope_blueprint.route('/obj/<dataset>/<path:rel_path>')
 def get_object_src_http(dataset, rel_path):
-    path = _get_obj_abosolute_path(dataset, rel_path)
+    path = _get_obj_absolute_path(dataset, rel_path)
     response = send_file(path,
                          cache_timeout=datetime.timedelta(
                              days=365).total_seconds(),
@@ -133,8 +134,8 @@ def get_object_src_http(dataset, rel_path):
     return response
 
 
-def _get_obj_abosolute_path(dataset, rel_path):
-    return os.path.join(DATAROOT, dataset, rel_path)
+def _get_obj_absolute_path(dataset, rel_path):
+    return safe_join(DATAROOT, dataset, rel_path)
 
 
 def _get_object_element(dataset, seq_no, rel_path, download_link):
@@ -162,7 +163,7 @@ def _get_object_element(dataset, seq_no, rel_path, download_link):
         rel_path, download_link = row[0], row[1]
 
     if LOCAL_OBJ_URI:
-        src_uri = 'file://' + os.path.join(DATAROOT, dataset, rel_path)
+        src_uri = 'file://' + _get_obj_absolute_path(dataset, rel_path)
     else:
         src_uri = url_for('.get_object_src_http', dataset=dataset, rel_path=rel_path)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.