Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-36471

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

Published

2024-06-10T22:15:11.893

Last Modified

2025-07-15T16:36:48.790

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-20
CWE-200
CWE-918

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	allura	< 1.17.0	Yes

References

https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh Mailing List, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2024/06/10/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)