CVE-2018-1002150

CRITICAL9.1EPSS 0.30%

Koji hub call does not perform correct access checks

Published: 7/12/2018Modified: 2/18/2025

Description

Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access control vulnerability resulting in arbitrary filesystem read/write access. This vulnerability has been fixed in versions 1.12.1, 1.13.1, 1.14.1 and 1.15.1.

Affected packages (2)

PyPI/koji>= 1.15, < 1.15.1
PyPI/kojifrom 0, < 1.15.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (8)

ADVISORYhttps://github.com/advisories/GHSA-6mww-xvh7-fq4f
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-1002150
PATCHhttps://pagure.io/koji
WEBhttps://docs.pagure.org/koji/CVE-2018-1002150
WEBhttps://docs.pagure.org/koji/CVE-2018-1002150/
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/koji/PYSEC-2018-86.yaml
WEBhttps://pagure.io/koji/c/ab1ade7
WEBhttps://pagure.io/koji/issue/850