Hello Neal,

Thanks for your asking! Unfortunately, it looks like this is a
'global' advisory, and only 'repository' advisories have a 'credits'

This raises the question of whether we would like to support
publishing 'repository' advisories for Apache projects to GitHub. I
brought up that question on the security-discuss list[0] and reached
out to GitHub, to see if they have the necessary infrastructure to
provide such advisories programmatically from the advisory tooling we
use at Apache.

Kind regards,

[0]: https://lists.apache.org/thread/x4hx4nbp5tr4djgcsh4zlnryr4mmwlhp

On Thu, Jan 12, 2023 at 2:27 AM Neal Caffery <bing.e...@gmail.com> wrote:
> Hi,
> Sorry to bother you. I wonder if you can add credit for 
> https://github.com/advisories/GHSA-gw4j-4229-q4px about this cve. The process 
> would be simple, can refer to 
> https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories.
> My github username is madneal. Looking forward to hearing from you. Thanks.
> On Mon, May 31, 2021 at 2:43 PM Jun Liu <liu...@apache.org> wrote:
>> Hi
>> Severity: low
>> Vendor:
>> The Dubbo Project Team
>> Versions Affected:
>> Dubbo 2.7.0 to 2.7.9
>> Dubbo 2.6.0 to 2.6.9
>> Dubbo all 2.5.x versions (not supported by official team any longer)
>> Description:
>> The usage of parseURL method will lead to the bypass of white host check 
>> which can cause open redirect or SSRF vulnerability.  Evil URL sample: 
>> https://evilhost#@whitehost
>> Mitigation:
>> Upgrade to 2.7.10+ or 2.6.9+ accordingly based on the version currently 
>> using.
>> https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10
>> https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10
>> https://dubbo.apache.org/en/blog/2020/05/18/past-releases/
>> Credit:
>> This issue was first reported by Bing Dong
>> Jun

Reply via email to