This vulnerability was analyzed during Episode 131 on 28 March 2022
The bulk import API when importing a group would, if the group had any uploads, download the uploads.tar.gz and extract it including any symlinks. When the extracted files are later listed, viewing any of the symlinked files will result in the symlink being followed and arbitrary files being read from outside the upload directory.