CVE-2024-36471

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL.  Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.
Configurations

No configuration.

History

21 Nov 2024, 09:22

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/06/10/1 -
References () https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh - () https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh -

03 Jul 2024, 02:03

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5

11 Jun 2024, 13:54

Type Values Removed Values Added
Summary
  • (es) La funcionalidad de importación es vulnerable a ataques de revinculación de DNS entre la verificación y el procesamiento de la URL. Los administradores de proyectos pueden ejecutar estas importaciones, lo que podría hacer que Allura lea servicios internos y los exponga. Este problema afecta a Apache Allura desde la versión 1.0.1 hasta la 1.16.0. Se recomienda a los usuarios actualizar a la versión 1.17.0, que soluciona el problema. Si no puede actualizar, configure "disable_entry_points.allura.importers = forge-tracker, forge-discussion" en su archivo de configuración .ini.

10 Jun 2024, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-10 22:15

Updated : 2024-11-21 09:22


NVD link : CVE-2024-36471

Mitre link : CVE-2024-36471

CVE.ORG link : CVE-2024-36471


JSON object : View

Products Affected

No product.

CWE
CWE-20

Improper Input Validation

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-918

Server-Side Request Forgery (SSRF)