Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-17400 (GCVE-0-2019-17400)
Vulnerability from cvelistv5 – Published: 2019-10-21 22:06 – Updated: 2024-08-05 01:40
VLAI?
EPSS
Summary
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/unoconv/unoconv/pull/510"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-21T22:06:04.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/unoconv/unoconv/pull/510"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/unoconv/unoconv/pull/510",
"refsource": "MISC",
"url": "https://github.com/unoconv/unoconv/pull/510"
},
{
"name": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/",
"refsource": "MISC",
"url": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-17400",
"datePublished": "2019-10-21T22:06:04.000Z",
"dateReserved": "2019-10-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:40:15.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:universal_office_converter_project:universal_office_converter:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.9\", \"matchCriteriaId\": \"00493D19-50D6-473A-A38A-27763BA8E8B7\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.\"}, {\"lang\": \"es\", \"value\": \"El paquete unoconv versiones anteriores a 0.9, maneja inapropiadamente los nombres de ruta no confiables, lo que conlleva a una vulnerabilidad de tipo SSRF e inclusi\\u00f3n de archivos locales.\"}]",
"id": "CVE-2019-17400",
"lastModified": "2024-11-21T04:32:16.003",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2019-10-21T23:15:12.183",
"references": "[{\"url\": \"https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/unoconv/unoconv/pull/510\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/unoconv/unoconv/pull/510\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-17400\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-10-21T23:15:12.183\",\"lastModified\":\"2024-11-21T04:32:16.003\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.\"},{\"lang\":\"es\",\"value\":\"El paquete unoconv versiones anteriores a 0.9, maneja inapropiadamente los nombres de ruta no confiables, lo que conlleva a una vulnerabilidad de tipo SSRF e inclusi\u00f3n de archivos locales.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:universal_office_converter_project:universal_office_converter:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.9\",\"matchCriteriaId\":\"00493D19-50D6-473A-A38A-27763BA8E8B7\"}]}]}],\"references\":[{\"url\":\"https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/unoconv/unoconv/pull/510\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/unoconv/unoconv/pull/510\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
CNVD-2020-14289
Vulnerability from cnvd - Published: 2020-02-28
VLAI Severity ?
Title
unoconv package代码问题漏洞
Description
unoconv package是一款用于文档格式转换的软件包。
unoconv包0.9之前版本中存在代码问题漏洞漏洞,该漏洞源于unoconv未能正确处理不可信路径名,目前没有详细的漏洞细节提供。
Severity
中
Patch Name
unoconv package代码问题漏洞的补丁
Patch Description
unoconv package是一款用于文档格式转换的软件包。
unoconv包0.9之前版本中存在代码问题漏洞漏洞,该漏洞源于unoconv未能正确处理不可信路径名,目前没有详细的漏洞细节提供。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://github.com/unoconv/unoconv/pull/510
Reference
https://nvd.nist.gov/vuln/detail/CVE-2019-17400
https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/
Impacted products
| Name | unoconv unoconv <0.9 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2019-17400",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-17400"
}
},
"description": "unoconv package\u662f\u4e00\u6b3e\u7528\u4e8e\u6587\u6863\u683c\u5f0f\u8f6c\u6362\u7684\u8f6f\u4ef6\u5305\u3002\n\nunoconv\u53050.9\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eunoconv\u672a\u80fd\u6b63\u786e\u5904\u7406\u4e0d\u53ef\u4fe1\u8def\u5f84\u540d\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/unoconv/unoconv/pull/510",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-14289",
"openTime": "2020-02-28",
"patchDescription": "unoconv package\u662f\u4e00\u6b3e\u7528\u4e8e\u6587\u6863\u683c\u5f0f\u8f6c\u6362\u7684\u8f6f\u4ef6\u5305\u3002\r\n\r\nunoconv\u53050.9\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eunoconv\u672a\u80fd\u6b63\u786e\u5904\u7406\u4e0d\u53ef\u4fe1\u8def\u5f84\u540d\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "unoconv package\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "unoconv unoconv \u003c0.9"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-17400\r\nhttps://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/",
"serverity": "\u4e2d",
"submitTime": "2019-10-22",
"title": "unoconv package\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}
WID-SEC-W-2026-0012
Vulnerability from csaf_certbund - Published: 2020-09-29 22:00 - Updated: 2026-01-05 23:00Summary
Red Hat Enterprise Linux: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux ausnutzen, um dadurch die Integrität, Vertraulichkeit und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Linux
References
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux ausnutzen, um dadurch die Integrit\u00e4t, Vertraulichkeit und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0012 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2026-0012.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0012 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0012"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:3869"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:3877"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:3898"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:3940"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:3944"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:3949"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:3971"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:4001"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:4007"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:4030"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2020-09-29",
"url": "https://access.redhat.com/errata/RHSA-2020:4039"
},
{
"category": "external",
"summary": "AVAYA Security Advisory ASA-2020-117 vom 2020-10-15",
"url": "https://downloads.avaya.com/css/P8/documents/101071400"
},
{
"category": "external",
"summary": "AVAYA Security Advisory ASA-2020-128 vom 2020-10-15",
"url": "https://downloads.avaya.com/css/P8/documents/101071421"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2020:2967-1 vom 2020-10-20",
"url": "http://lists.suse.com/pipermail/sle-security-updates/2020-October/007591.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2020:2966-1 vom 2020-10-20",
"url": "http://lists.suse.com/pipermail/sle-security-updates/2020-October/007597.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2020:3034-1 vom 2020-10-26",
"url": "http://lists.suse.com/pipermail/sle-security-updates/2020-October/007623.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4481 vom 2020-11-04",
"url": "https://access.redhat.com/errata/RHSA-2020:4481"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4445 vom 2020-11-04",
"url": "https://access.redhat.com/errata/RHSA-2020:4445"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4650 vom 2020-11-04",
"url": "https://access.redhat.com/errata/RHSA-2020:4650"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4689 vom 2020-11-04",
"url": "https://access.redhat.com/errata/RHSA-2020:4689"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2020:4553 vom 2020-11-04",
"url": "https://access.redhat.com/errata/RHSA-2020:4553"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2020:3516-1 vom 2020-11-25",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2020-November/007858.html"
},
{
"category": "external",
"summary": "AVAYA Security Advisory ASA-2020-184 vom 2020-12-06",
"url": "https://downloads.avaya.com/css/P8/documents/101072779"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2021-1486 vom 2021-03-20",
"url": "https://alas.aws.amazon.com/ALAS-2021-1486.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2021:1758 vom 2021-05-18",
"url": "https://access.redhat.com/errata/RHSA-2021:1758"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2021-1643 vom 2021-05-24",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1643.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2021-1647 vom 2021-06-23",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1647.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-23457 vom 2026-01-06",
"url": "https://linux.oracle.com/errata/ELSA-2025-23457.html"
}
],
"source_lang": "en-US",
"title": "Red Hat Enterprise Linux: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-01-05T23:00:00.000+00:00",
"generator": {
"date": "2026-01-06T08:35:12.262+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0012",
"initial_release_date": "2020-09-29T22:00:00.000+00:00",
"revision_history": [
{
"date": "2020-09-29T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2020-10-14T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von AVAYA aufgenommen"
},
{
"date": "2020-10-20T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2020-10-26T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2020-11-03T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2020-11-25T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2020-12-07T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von AVAYA aufgenommen"
},
{
"date": "2021-03-21T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2021-05-18T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2021-05-24T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2021-06-23T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2026-01-05T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Oracle Linux aufgenommen"
}
],
"status": "final",
"version": "12"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Avaya Aura Application Enablement Services",
"product": {
"name": "Avaya Aura Application Enablement Services",
"product_id": "T015516",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:aura_application_enablement_services:-"
}
}
},
{
"category": "product_name",
"name": "Avaya Aura Communication Manager",
"product": {
"name": "Avaya Aura Communication Manager",
"product_id": "T015126",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:communication_manager:-"
}
}
},
{
"category": "product_name",
"name": "Avaya Aura Experience Portal",
"product": {
"name": "Avaya Aura Experience Portal",
"product_id": "T015519",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:aura_experience_portal:-"
}
}
},
{
"category": "product_name",
"name": "Avaya Aura Session Manager",
"product": {
"name": "Avaya Aura Session Manager",
"product_id": "T015127",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:session_manager:-"
}
}
},
{
"category": "product_name",
"name": "Avaya Aura System Manager",
"product": {
"name": "Avaya Aura System Manager",
"product_id": "T015518",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:aura_system_manager:-"
}
}
},
{
"category": "product_name",
"name": "Avaya Web License Manager",
"product": {
"name": "Avaya Web License Manager",
"product_id": "T016243",
"product_identification_helper": {
"cpe": "cpe:/a:avaya:web_license_manager:-"
}
}
}
],
"category": "vendor",
"name": "Avaya"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-13440",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2018-13440"
},
{
"cve": "CVE-2018-17095",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2018-17095"
},
{
"cve": "CVE-2019-16707",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2019-16707"
},
{
"cve": "CVE-2019-17400",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2019-17400"
},
{
"cve": "CVE-2019-17402",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2019-17402"
},
{
"cve": "CVE-2019-18609",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2019-18609"
},
{
"cve": "CVE-2019-20386",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2019-20386"
},
{
"cve": "CVE-2019-3695",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2019-3695"
},
{
"cve": "CVE-2019-3696",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2019-3696"
},
{
"cve": "CVE-2019-3833",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2019-3833"
},
{
"cve": "CVE-2020-0556",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2020-0556"
},
{
"cve": "CVE-2020-11761",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2020-11761"
},
{
"cve": "CVE-2020-11763",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2020-11763"
},
{
"cve": "CVE-2020-11764",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2020-11764"
},
{
"cve": "CVE-2020-8631",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2020-8631"
},
{
"cve": "CVE-2020-8632",
"product_status": {
"known_affected": [
"T015519",
"T015518",
"T002207",
"67646",
"T015516",
"T015127",
"398363",
"T015126",
"T004914",
"T016243"
]
},
"release_date": "2020-09-29T22:00:00.000+00:00",
"title": "CVE-2020-8632"
}
]
}
GSD-2019-17400
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-17400",
"description": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.",
"id": "GSD-2019-17400",
"references": [
"https://www.suse.com/security/cve/CVE-2019-17400.html",
"https://access.redhat.com/errata/RHSA-2020:3944",
"https://linux.oracle.com/cve/CVE-2019-17400.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-17400"
],
"details": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.",
"id": "GSD-2019-17400",
"modified": "2023-12-13T01:23:44.635122Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/unoconv/unoconv/pull/510",
"refsource": "MISC",
"url": "https://github.com/unoconv/unoconv/pull/510"
},
{
"name": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/",
"refsource": "MISC",
"url": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.9.0",
"affected_versions": "All versions before 0.9.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-918",
"CWE-937"
],
"date": "2021-08-18",
"description": "The unoconv package mishandles untrusted pathnames, leading to SSRF and local file inclusion.",
"fixed_versions": [
"0.9.0"
],
"identifier": "CVE-2019-17400",
"identifiers": [
"GHSA-27p5-7cw6-m45h",
"CVE-2019-17400"
],
"not_impacted": "All versions starting from 0.9.0",
"package_slug": "pypi/unoconv",
"pubdate": "2019-10-24",
"solution": "Upgrade to version 0.9.0 or above.",
"title": "Server-Side Request Forgery (SSRF)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-17400",
"https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/",
"https://github.com/unoconv/unoconv/pull/510",
"https://github.com/advisories/GHSA-27p5-7cw6-m45h"
],
"uuid": "91668621-9c1a-49e4-8168-ca399bc423d6"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:universal_office_converter_project:universal_office_converter:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "0.9",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-17400"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/unoconv/unoconv/pull/510",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/unoconv/unoconv/pull/510"
},
{
"name": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2019-10-23T19:38Z",
"publishedDate": "2019-10-21T23:15Z"
}
}
}
RHSA-2020:3944
Vulnerability from csaf_redhat - Published: 2020-09-29 21:07 - Updated: 2025-11-21 18:17Summary
Red Hat Security Advisory: unoconv security update
Severity
Moderate
Notes
Topic: An update for unoconv is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Universal Office Converter (unoconv) is a command line tool to convert any document format that LibreOffice can import to any document format that LibreOffice can export. It makes use of the LibreOffice's UNO bindings for non-interactive conversion of documents.
Security Fix(es):
* unoconv: mishandling of pathname leads to SSRF and local file inclusion (CVE-2019-17400)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
7.5 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2020:3944
References
| URL | Category | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for unoconv is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Universal Office Converter (unoconv) is a command line tool to convert any document format that LibreOffice can import to any document format that LibreOffice can export. It makes use of the LibreOffice\u0027s UNO bindings for non-interactive conversion of documents. \n\nSecurity Fix(es):\n\n* unoconv: mishandling of pathname leads to SSRF and local file inclusion (CVE-2019-17400)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3944",
"url": "https://access.redhat.com/errata/RHSA-2020:3944"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index"
},
{
"category": "external",
"summary": "1765007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1765007"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3944.json"
}
],
"title": "Red Hat Security Advisory: unoconv security update",
"tracking": {
"current_release_date": "2025-11-21T18:17:00+00:00",
"generator": {
"date": "2025-11-21T18:17:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2020:3944",
"initial_release_date": "2020-09-29T21:07:32+00:00",
"revision_history": [
{
"date": "2020-09-29T21:07:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-09-29T21:07:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:17:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.9",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "unoconv-0:0.6-8.el7.noarch",
"product": {
"name": "unoconv-0:0.6-8.el7.noarch",
"product_id": "unoconv-0:0.6-8.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/unoconv@0.6-8.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "unoconv-0:0.6-8.el7.src",
"product": {
"name": "unoconv-0:0.6-8.el7.src",
"product_id": "unoconv-0:0.6-8.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/unoconv@0.6-8.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.9:unoconv-0:0.6-8.el7.noarch"
},
"product_reference": "unoconv-0:0.6-8.el7.noarch",
"relates_to_product_reference": "7Client-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.9:unoconv-0:0.6-8.el7.src"
},
"product_reference": "unoconv-0:0.6-8.el7.src",
"relates_to_product_reference": "7Client-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9:unoconv-0:0.6-8.el7.noarch"
},
"product_reference": "unoconv-0:0.6-8.el7.noarch",
"relates_to_product_reference": "7Server-optional-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9:unoconv-0:0.6-8.el7.src"
},
"product_reference": "unoconv-0:0.6-8.el7.src",
"relates_to_product_reference": "7Server-optional-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9:unoconv-0:0.6-8.el7.noarch"
},
"product_reference": "unoconv-0:0.6-8.el7.noarch",
"relates_to_product_reference": "7Workstation-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9:unoconv-0:0.6-8.el7.src"
},
"product_reference": "unoconv-0:0.6-8.el7.src",
"relates_to_product_reference": "7Workstation-7.9"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-17400",
"cwe": {
"id": "CWE-829",
"name": "Inclusion of Functionality from Untrusted Control Sphere"
},
"discovery_date": "2019-10-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1765007"
}
],
"notes": [
{
"category": "description",
"text": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "unoconv: mishandling of pathname leads to SSRF and local file inclusion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-7.9:unoconv-0:0.6-8.el7.noarch",
"7Client-7.9:unoconv-0:0.6-8.el7.src",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.noarch",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.src",
"7Workstation-7.9:unoconv-0:0.6-8.el7.noarch",
"7Workstation-7.9:unoconv-0:0.6-8.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-17400"
},
{
"category": "external",
"summary": "RHBZ#1765007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1765007"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-17400",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17400"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17400",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17400"
}
],
"release_date": "2019-10-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-09-29T21:07:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-7.9:unoconv-0:0.6-8.el7.noarch",
"7Client-7.9:unoconv-0:0.6-8.el7.src",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.noarch",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.src",
"7Workstation-7.9:unoconv-0:0.6-8.el7.noarch",
"7Workstation-7.9:unoconv-0:0.6-8.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3944"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Client-7.9:unoconv-0:0.6-8.el7.noarch",
"7Client-7.9:unoconv-0:0.6-8.el7.src",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.noarch",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.src",
"7Workstation-7.9:unoconv-0:0.6-8.el7.noarch",
"7Workstation-7.9:unoconv-0:0.6-8.el7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "unoconv: mishandling of pathname leads to SSRF and local file inclusion"
}
]
}
RHSA-2020_3944
Vulnerability from csaf_redhat - Published: 2020-09-29 21:07 - Updated: 2024-11-22 14:44Summary
Red Hat Security Advisory: unoconv security update
Severity
Moderate
Notes
Topic: An update for unoconv is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Universal Office Converter (unoconv) is a command line tool to convert any document format that LibreOffice can import to any document format that LibreOffice can export. It makes use of the LibreOffice's UNO bindings for non-interactive conversion of documents.
Security Fix(es):
* unoconv: mishandling of pathname leads to SSRF and local file inclusion (CVE-2019-17400)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
7.5 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2020:3944
References
| URL | Category | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for unoconv is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Universal Office Converter (unoconv) is a command line tool to convert any document format that LibreOffice can import to any document format that LibreOffice can export. It makes use of the LibreOffice\u0027s UNO bindings for non-interactive conversion of documents. \n\nSecurity Fix(es):\n\n* unoconv: mishandling of pathname leads to SSRF and local file inclusion (CVE-2019-17400)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3944",
"url": "https://access.redhat.com/errata/RHSA-2020:3944"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index"
},
{
"category": "external",
"summary": "1765007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1765007"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3944.json"
}
],
"title": "Red Hat Security Advisory: unoconv security update",
"tracking": {
"current_release_date": "2024-11-22T14:44:10+00:00",
"generator": {
"date": "2024-11-22T14:44:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:3944",
"initial_release_date": "2020-09-29T21:07:32+00:00",
"revision_history": [
{
"date": "2020-09-29T21:07:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-09-29T21:07:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:44:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.9",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "unoconv-0:0.6-8.el7.noarch",
"product": {
"name": "unoconv-0:0.6-8.el7.noarch",
"product_id": "unoconv-0:0.6-8.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/unoconv@0.6-8.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "unoconv-0:0.6-8.el7.src",
"product": {
"name": "unoconv-0:0.6-8.el7.src",
"product_id": "unoconv-0:0.6-8.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/unoconv@0.6-8.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.9:unoconv-0:0.6-8.el7.noarch"
},
"product_reference": "unoconv-0:0.6-8.el7.noarch",
"relates_to_product_reference": "7Client-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.9:unoconv-0:0.6-8.el7.src"
},
"product_reference": "unoconv-0:0.6-8.el7.src",
"relates_to_product_reference": "7Client-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9:unoconv-0:0.6-8.el7.noarch"
},
"product_reference": "unoconv-0:0.6-8.el7.noarch",
"relates_to_product_reference": "7Server-optional-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9:unoconv-0:0.6-8.el7.src"
},
"product_reference": "unoconv-0:0.6-8.el7.src",
"relates_to_product_reference": "7Server-optional-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9:unoconv-0:0.6-8.el7.noarch"
},
"product_reference": "unoconv-0:0.6-8.el7.noarch",
"relates_to_product_reference": "7Workstation-7.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "unoconv-0:0.6-8.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.9:unoconv-0:0.6-8.el7.src"
},
"product_reference": "unoconv-0:0.6-8.el7.src",
"relates_to_product_reference": "7Workstation-7.9"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-17400",
"cwe": {
"id": "CWE-829",
"name": "Inclusion of Functionality from Untrusted Control Sphere"
},
"discovery_date": "2019-10-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1765007"
}
],
"notes": [
{
"category": "description",
"text": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "unoconv: mishandling of pathname leads to SSRF and local file inclusion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-7.9:unoconv-0:0.6-8.el7.noarch",
"7Client-7.9:unoconv-0:0.6-8.el7.src",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.noarch",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.src",
"7Workstation-7.9:unoconv-0:0.6-8.el7.noarch",
"7Workstation-7.9:unoconv-0:0.6-8.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-17400"
},
{
"category": "external",
"summary": "RHBZ#1765007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1765007"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-17400",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17400"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17400",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17400"
}
],
"release_date": "2019-10-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-09-29T21:07:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-7.9:unoconv-0:0.6-8.el7.noarch",
"7Client-7.9:unoconv-0:0.6-8.el7.src",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.noarch",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.src",
"7Workstation-7.9:unoconv-0:0.6-8.el7.noarch",
"7Workstation-7.9:unoconv-0:0.6-8.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3944"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Client-7.9:unoconv-0:0.6-8.el7.noarch",
"7Client-7.9:unoconv-0:0.6-8.el7.src",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.noarch",
"7Server-optional-7.9:unoconv-0:0.6-8.el7.src",
"7Workstation-7.9:unoconv-0:0.6-8.el7.noarch",
"7Workstation-7.9:unoconv-0:0.6-8.el7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "unoconv: mishandling of pathname leads to SSRF and local file inclusion"
}
]
}
PYSEC-2019-213
Vulnerability from pysec - Published: 2019-10-21 23:15 - Updated: 2021-08-27 03:22
VLAI?
Details
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
Impacted products
| Name | purl | unoconv | pkg:pypi/unoconv |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "unoconv",
"purl": "pkg:pypi/unoconv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6",
"0.8.2"
]
}
],
"aliases": [
"CVE-2019-17400",
"GHSA-27p5-7cw6-m45h"
],
"details": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.",
"id": "PYSEC-2019-213",
"modified": "2021-08-27T03:22:49.773623Z",
"published": "2019-10-21T23:15:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/unoconv/unoconv/pull/510"
},
{
"type": "WEB",
"url": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-27p5-7cw6-m45h"
}
]
}
BDU:2023-00196
Vulnerability from fstec - Published: 16.09.2019
VLAI Severity ?
Title
Уязвимость конвертера между форматами документов LibreOffice Unoconv, связанная с недостаточной проверкой поступающих запросов, позволяющая нарушителю получить доступ к конфиденциальным данным
Description
Уязвимость конвертера между форматами документов LibreOffice Unoconv связана с недостаточной проверкой поступающих запросов. Эксплуатация уязвимости позволяет нарушителю, действующему удаленно, получить доступ к конфиденциальным данным
Severity ?
Vendor
Сообщество свободного программного обеспечения, ООО «РусБИТех-Астра», АО "НППКТ"
Software Name
Debian GNU/Linux, Astra Linux Special Edition (запись в едином реестре российских программ №369), Unoconv, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)
Software Version
9 (Debian GNU/Linux), 1.6 «Смоленск» (Astra Linux Special Edition), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), до 0.9 (Unoconv), до 2.9 (ОСОН ОСнова Оnyx)
Possible Mitigations
Для Unoconv:
использование рекомендаций производителя: https://github.com/unoconv/unoconv/pull/510
Для Debian:
использование рекомендаций производителя: https://security-tracker.debian.org/tracker/CVE-2019-17400
Для ОС Astra Linux:
использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1221SE17MD
Для ОС Astra Linux Special Edition 4.7 для архитектуры ARM:
использование рекомендаций производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0131SE47MD
Для ОСОН ОСнова Оnyx:
Обновление программного обеспечения unoconv до версии 0.7-2
Для Astra Linux Special Edition 1.6 «Смоленск»::
обновить пакет unoconv до 0.7-2 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16
Reference
https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/
https://github.com/unoconv/unoconv/pull/510
https://nvd.nist.gov/vuln/detail/CVE-2019-17400
https://security-tracker.debian.org/tracker/CVE-2019-17400
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1221SE17MD
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0131SE47MD
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.9/
https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16
CWE
CWE-918
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), \u0434\u043e 0.9 (Unoconv), \u0434\u043e 2.9 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f Unoconv:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://github.com/unoconv/unoconv/pull/510\n\n\u0414\u043b\u044f Debian:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://security-tracker.debian.org/tracker/CVE-2019-17400\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1221SE17MD\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux Special Edition 4.7 \u0434\u043b\u044f \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b ARM:\n\u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0131SE47MD\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f unoconv \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 0.7-2\n\n\u0414\u043b\u044f Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb::\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 unoconv \u0434\u043e 0.7-2 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "16.09.2019",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "07.11.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "18.01.2023",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-00196",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-17400",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Unoconv, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.9 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043d\u0432\u0435\u0440\u0442\u0435\u0440\u0430 \u043c\u0435\u0436\u0434\u0443 \u0444\u043e\u0440\u043c\u0430\u0442\u0430\u043c\u0438 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u043e\u0432 LibreOffice Unoconv, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u043f\u043e\u0441\u0442\u0443\u043f\u0430\u044e\u0449\u0438\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0421\u0435\u0440\u0432\u0435\u0440\u043d\u0430\u044f \u0444\u0430\u043b\u044c\u0441\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 (CWE-918)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043d\u0432\u0435\u0440\u0442\u0435\u0440\u0430 \u043c\u0435\u0436\u0434\u0443 \u0444\u043e\u0440\u043c\u0430\u0442\u0430\u043c\u0438 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u043e\u0432 LibreOffice Unoconv \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u043f\u043e\u0441\u0442\u0443\u043f\u0430\u044e\u0449\u0438\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/\nhttps://github.com/unoconv/unoconv/pull/510\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17400\nhttps://security-tracker.debian.org/tracker/CVE-2019-17400\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1221SE17MD\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2023-0131SE47MD\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.9/\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-918",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}
GHSA-27P5-7CW6-M45H
Vulnerability from github – Published: 2019-10-24 20:46 – Updated: 2024-11-18 22:12
VLAI?
Summary
Server-Side Request Forgery in unoconv
Details
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "unoconv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-17400"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2019-10-24T20:46:04Z",
"nvd_published_at": "2019-10-21T23:15:00Z",
"severity": "HIGH"
},
"details": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.",
"id": "GHSA-27p5-7cw6-m45h",
"modified": "2024-11-18T22:12:44Z",
"published": "2019-10-24T20:46:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17400"
},
{
"type": "WEB",
"url": "https://github.com/unoconv/unoconv/pull/510"
},
{
"type": "WEB",
"url": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-27p5-7cw6-m45h"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/unoconv/PYSEC-2019-213.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/unoconv/unoconv"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Server-Side Request Forgery in unoconv"
}
FKIE_CVE-2019-17400
Vulnerability from fkie_nvd - Published: 2019-10-21 23:15 - Updated: 2024-11-21 04:32
Severity ?
Summary
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/unoconv/unoconv/pull/510 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/unoconv/unoconv/pull/510 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| universal_office_converter_project | universal_office_converter | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:universal_office_converter_project:universal_office_converter:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00493D19-50D6-473A-A38A-27763BA8E8B7",
"versionEndExcluding": "0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion."
},
{
"lang": "es",
"value": "El paquete unoconv versiones anteriores a 0.9, maneja inapropiadamente los nombres de ruta no confiables, lo que conlleva a una vulnerabilidad de tipo SSRF e inclusi\u00f3n de archivos locales."
}
],
"id": "CVE-2019-17400",
"lastModified": "2024-11-21T04:32:16.003",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-21T23:15:12.183",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/unoconv/unoconv/pull/510"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/unoconv/unoconv/pull/510"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…