ASA-2019-00596 – unoconv: Server Side Request Forgery (SSRF) and Local File Inclusion (LFI) due to mishandling of untrusted pathnames


Allele Security Alert

ASA-2019-00596

Identifier(s)

ASA-2019-00596, CVE-2019-17400

Title

Server Side Request Forgery (SSRF) and Local File Inclusion (LFI) due to mishandling of untrusted pathnames

Vendor(s)

Dag Wieers

Product(s)

unoconv

Affected version(s)

unoconv version before 0.9

Fixed version(s)

unoconv version 0.9

Proof of concept

Unknown

Description

The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.

Technical details

Unknown

Credits

Unknown

Reference(s)

change default updateDocMode behavior and add new option to keep old behavior #510
https://github.com/unoconv/unoconv/pull/510

change default updateDocMode behavior and add new option to keep old behavior #510
https://github.com/unoconv/unoconv/pull/510/commits/1a5ddf2b6eade65df380821b4a1d8f1b70ad765f

A Tale of Exploitation in Spreadsheet File Conversions | Brett Buerhaus
https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/

CVE-2019-17400 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-17400

CVE-2019-17400
https://security-tracker.debian.org/tracker/CVE-2019-17400

CVE-2019-17400 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-17400.html

CVE-2019-17400 | SUSE
https://www.suse.com/security/cve/CVE-2019-17400

CVE-2019-17400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17400

CVE-2019-17400
https://nvd.nist.gov/vuln/detail/CVE-2019-17400

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 7, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.