A vulnerability was found in unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion. Reference: https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/ https://github.com/unoconv/unoconv/pull/510
Created unoconv tracking bugs for this issue: Affects: fedora-all [bug 1765008]
Upstream commit for this issue: https://github.com/unoconv/unoconv/commit/acfac594e643f9c44f1c3b8d6d8957190a4d76f2
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3944 https://access.redhat.com/errata/RHSA-2020:3944
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17400