Hello Neal, Thanks for your asking! Unfortunately, it looks like this is a 'global' advisory, and only 'repository' advisories have a 'credits' field.
This raises the question of whether we would like to support publishing 'repository' advisories for Apache projects to GitHub. I brought up that question on the security-discuss list[0] and reached out to GitHub, to see if they have the necessary infrastructure to provide such advisories programmatically from the advisory tooling we use at Apache. Kind regards, Arnout [0]: https://lists.apache.org/thread/x4hx4nbp5tr4djgcsh4zlnryr4mmwlhp On Thu, Jan 12, 2023 at 2:27 AM Neal Caffery <bing.e...@gmail.com> wrote: > > Hi, > > Sorry to bother you. I wonder if you can add credit for > https://github.com/advisories/GHSA-gw4j-4229-q4px about this cve. The process > would be simple, can refer to > https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories. > > My github username is madneal. Looking forward to hearing from you. Thanks. > > On Mon, May 31, 2021 at 2:43 PM Jun Liu <liu...@apache.org> wrote: >> >> Hi >> >> Severity: low >> >> Vendor: >> The Dubbo Project Team >> >> Versions Affected: >> Dubbo 2.7.0 to 2.7.9 >> Dubbo 2.6.0 to 2.6.9 >> Dubbo all 2.5.x versions (not supported by official team any longer) >> >> Description: >> The usage of parseURL method will lead to the bypass of white host check >> which can cause open redirect or SSRF vulnerability. Evil URL sample: >> https://evilhost#@whitehost >> >> Mitigation: >> Upgrade to 2.7.10+ or 2.6.9+ accordingly based on the version currently >> using. >> https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10 >> https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10 >> https://dubbo.apache.org/en/blog/2020/05/18/past-releases/ >> >> Credit: >> This issue was first reported by Bing Dong >> >> Jun