We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them. Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution. This issue affects Apache Allura from 1.0.1 through 1.15.0. Users are recommended to upgrade to version 1.16.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.
Reserved 2023-10-27 | Published 2023-11-07 | Updated 2024-09-04 | Assigner apacheCWE-20 Improper Input Validation
CWE-73 External Control of File Name or Path
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Stefan Schiller (Sonar)
allura.apache.org/posts/2023-allura-1.16.0.html
lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx
Support options