Koji through 1.18.0 allows remote Directory Traversal, with resultant Privilege Escalation.
www.openwall.com/lists/oss-security/2019/10/09/5
docs.pagure.org/koji/CVE-2019-17109/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BGUXMZIAQFFNNQ7PEFDAYQCXXKJR76U/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7PSCCFHLNVFLDPC7DB4UJGXD6ZWBSY57/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DEQYYGWLJBQQVTAC7E7XSDGVF27NPMPB/
pagure.io/koji/commits/master