CVE-2017-1002153: Koji deny list paths workaround

May 13, 2022 (updated November 22, 2024)

Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around deny list paths for build submission.

References

github.com/advisories/GHSA-vwp5-w4rq-g4cc
github.com/koji-project/koji
github.com/pypa/advisory-database/tree/main/vulns/koji/PYSEC-2017-144.yaml
nvd.nist.gov/vuln/detail/CVE-2017-1002153
pagure.io/koji/issue/563

Code Behaviors & Features

Detect and mitigate CVE-2017-1002153 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →