CVE-2019-17109: koji hub allows arbitrary upload destinations
(updated )
The way that the hub code validates upload paths allows for an attacker to choose an arbitrary destination for the uploaded file. Uploading still requires login. However, an attacker with credentials could damage the integrity of the Koji system.
References
- docs.pagure.org/koji/CVE-2019-17109
- github.com/advisories/GHSA-7498-c9fm-g64p
- github.com/koji-project/koji
- github.com/koji-project/koji/blob/d0507c4d2d2269daa984db642e3bd957dff18948/docs/source/CVEs/CVE-2019-17109.rst
- github.com/koji-project/koji/commit/91d6f0b607c7f5af666dfb56931f1db4e38c28a5
- github.com/pypa/advisory-database/tree/main/vulns/koji/PYSEC-2019-183.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BGUXMZIAQFFNNQ7PEFDAYQCXXKJR76U
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PSCCFHLNVFLDPC7DB4UJGXD6ZWBSY57
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DEQYYGWLJBQQVTAC7E7XSDGVF27NPMPB
- nvd.nist.gov/vuln/detail/CVE-2019-17109
- pagure.io/koji/commits/master
- pagure.io/koji/issue/1634
- pagure.io/koji/pull-request/1686
Detect and mitigate CVE-2019-17109 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →