SSRF via Office file thumbnails

On August 12, 2019, a group of researchers reported an exploit path for a vulnerability in LibreOffice. Slack uses LibreOffice to process certain file types for preview. A specially crafted file uploaded to Slack could permit local file access and expose an internal Slack AWS credential for the container used to process these files. This was categorized as Critical, in our internal rubric, which is aligned with CVSSv3. We fixed the bug on August 13th, 2019. Following a thorough investigation, Slack concluded the this vulnerability was not exploited except by the security researcher who reported this issue, and that this researcher did not gain access customer data. The vulnerability and fix to LibreOffice and the unoconv library was later documented in [CVE-2019-17400](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17400). Slack would like to thank researchers @ziot, @daeken, @smiegles, and @erbbysam for their report.