GMS-2017-180: Arbitrary File Download

August 28, 2017

This package is vulnerable to Arbitrary File Download. A client can use backslashes to escape the directory the files where exposed from. Note: Only if the host server is a windows-based operating system.

References

github.com/pallets/flask/blob/master/CHANGES
github.com/pallets/flask/commit/aeed530e3221c1b445c13269dcd2fb67548bcefc

Detect and mitigate GMS-2017-180 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →