Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-46851

Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them. Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution. This issue affects Apache Allura from 1.0.1 through 1.15.0. Users are recommended to upgrade to version 1.16.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

Published

2023-11-07T09:15:07.313

Last Modified

2024-11-21T08:29:25.597

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.9 (MEDIUM)

Weaknesses

Type: Primary
CWE-20
CWE-73
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	allura	< 1.16.0	Yes

References

https://allura.apache.org/posts/2023-allura-1.16.0.html Patch, Vendor Advisory ([email protected])
https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx Mailing List, Vendor Advisory ([email protected])
https://allura.apache.org/posts/2023-allura-1.16.0.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)