Original disclosure for client-side attack:
https://seclists.org/oss-sec/2019/q4/122

Disclosure follow-up (server-side attack):
https://seclists.org/oss-sec/2020/q3/116

Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1774905