Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission.
"https://github.com/pypa/advisory-database/blob/main/vulns/koji/PYSEC-2017-144.yaml"