Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them.
This issue affects Apache Allura from 1.0.1 through 1.16.0.
Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.
References
Configurations
No configuration.
History
21 Nov 2024, 09:22
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | () https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh - |
03 Jul 2024, 02:03
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
11 Jun 2024, 13:54
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
10 Jun 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-10 22:15
Updated : 2024-11-21 09:22
NVD link : CVE-2024-36471
Mitre link : CVE-2024-36471
CVE.ORG link : CVE-2024-36471
JSON object : View
Products Affected
No product.