Koji 1.13.0 does not properly validate SCM paths.
Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission.
Koji versions 1.14.0 and forward contain the fix.
This bug was tracked as issue#563
Fixed versions can be found at our releases page:
https://pagure.io/koji/releases