The way that the hub code validates upload paths allows for an attacker to choose an arbitrary destination for the uploaded file. Uploading still requires login. However, an attacker with credentials could damage the integrity of the Koji system.
SQL injection vulnerabilities have been found in multiple call handlers in Koji’s hub code. An anonymous attacker can use these vulnerabilities to issue arbitrary database commands.
Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access control vulnerability resulting in arbitrary filesystem read/write access. This vulnerability has been fixed in versions 1.12.1, 1.13.1, 1.14.1 and 1.15.1.