Hello Neal, Thanks for your asking! Unfortunately, it looks like this is a 'global' advisory, and only 'repository' advisories have a 'credits' field.
This raises the question of whether we would like to support publishing 'repository' advisories for Apache projects to GitHub. I brought up that question on the security-discuss list and reached out to GitHub, to see if they have the necessary infrastructure to provide such advisories programmatically from the advisory tooling we use at Apache. Kind regards, Arnout : https://lists.apache.org/thread/x4hx4nbp5tr4djgcsh4zlnryr4mmwlhp On Thu, Jan 12, 2023 at 2:27 AM Neal Caffery <bing.e...@gmail.com> wrote: > > Hi, > > Sorry to bother you. I wonder if you can add credit for > https://github.com/advisories/GHSA-gw4j-4229-q4px about this cve. The process > would be simple, can refer to > https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories. > > My github username is madneal. Looking forward to hearing from you. Thanks. > > On Mon, May 31, 2021 at 2:43 PM Jun Liu <liu...@apache.org> wrote: >> >> Hi >> >> Severity: low >> >> Vendor: >> The Dubbo Project Team >> >> Versions Affected: >> Dubbo 2.7.0 to 2.7.9 >> Dubbo 2.6.0 to 2.6.9 >> Dubbo all 2.5.x versions (not supported by official team any longer) >> >> Description: >> The usage of parseURL method will lead to the bypass of white host check >> which can cause open redirect or SSRF vulnerability. Evil URL sample: >> https://evilhost#@whitehost >> >> Mitigation: >> Upgrade to 2.7.10+ or 2.6.9+ accordingly based on the version currently >> using. >> https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10 >> https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10 >> https://dubbo.apache.org/en/blog/2020/05/18/past-releases/ >> >> Credit: >> This issue was first reported by Bing Dong >> >> Jun