oss-sec mailing list archives
Koji CVE-2019-17109: koji hub allows arbitrary upload destinations
From: Patrick Uiterwijk <puiterwijk () redhat com>
Date: Wed, 9 Oct 2019 16:57:52 +0200
Description =========== The way that the hub code validates upload paths allows for an attacker to choose an arbitrary destination for the uploaded file. Affected versions ================= All prior versions of Koji are vulnerable. Patched versions ================ Koji versions 1.14.3, 1.15.3, 1.16.3, 1.17.1, and 1.18.1 are available on the website, and all include patches to solve this problem. Credits ======= This issue was discovered by Yu Ming Zhu of Red Hat. References ========= https://docs.pagure.org/koji/CVE-2019-17109/
Current thread:
- Koji CVE-2019-17109: koji hub allows arbitrary upload destinations Patrick Uiterwijk (Oct 09)