Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission.
7.5CVSS
7.5AI Score
0.001EPSS
Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access control vulnerability resulting in arbitrary filesystem read/write access. This vulnerability has been fixed in versions 1.12.1, 1.13.1, 1.14.1 and 1.15.1.
9.1CVSS
9AI Score
0.002EPSS
Koji through 1.18.0 allows remote Directory Traversal, with resultant Privilege Escalation.
6.5CVSS
6.3AI Score
0.012EPSS