Back

CVE-2024-36471

June 10, 2024, 10:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Apache Allura

  • 1.0.1 - 1.16.0

Source

security@apache.org

Tags

CWE-20
security@apache.org
2024-06-10
CVE-2024-36471

CVE-2024-36471 details

Published : June 10, 2024, 10:15 p.m.
Last Modified : June 10, 2024, 10:15 p.m.

Description

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL.  Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description

References

URL Source
https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh security@apache.org
This website uses the NVD API, but is not approved or certified by it.