Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03NDk4LWM5Zm0tZzY0cM4AAiWT

koji hub allows arbitrary upload destinations

The way that the hub code validates upload paths allows for an attacker to choose an arbitrary destination for the uploaded file.
Uploading still requires login. However, an attacker with credentials could damage the integrity of the Koji system.

Workaround

There is no known workaround. All Koji admins are encouraged to update to a fixed version as soon as possible.

Fix

Koji versions 1.14.3, 1.15.3, 1.16.3, 1.17.1, and 1.18.1 all include patches to solve this vulnerability.

Permalink: https://github.com/advisories/GHSA-7498-c9fm-g64p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NDk4LWM5Zm0tZzY0cM4AAiWT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 2 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-7498-c9fm-g64p, CVE-2019-17109
References:

Repository: https://github.com/koji-project/koji
Blast Radius: 12.9

Affected Packages

pypi:koji

Dependent packages: 12
Dependent repositories: 95
Downloads: 29,479 last month
Affected Version Ranges: >= 1.18.0, < 1.18.1, >= 1.17.0, < 1.17.1, >= 1.16.0, < 1.16.3, >= 1.15.0, < 1.15.3, >= 1.14.0, < 1.14.3
Fixed in: 1.18.1, 1.17.1, 1.16.3, 1.15.3, 1.14.3
All affected versions: 1.15.0, 1.16.0, 1.16.1, 1.17.0, 1.18.0
All unaffected versions: 1.19.0, 1.19.1, 1.20.0, 1.20.1, 1.21.0, 1.21.1, 1.22.0, 1.22.1, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.25.0, 1.25.1, 1.26.0, 1.26.1, 1.27.0, 1.27.1, 1.28.0, 1.28.1, 1.29.0, 1.29.1, 1.30.0, 1.30.1, 1.31.0, 1.31.1, 1.32.0, 1.32.1, 1.33.0, 1.33.1, 1.33.2, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.35.0, 1.35.1