Description
Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them. Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution. This issue affects Apache Allura from 1.0.1 through 1.15.0. Users are recommended to upgrade to version 1.16.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.
References (2)
Core 2
Core References
Patch, Vendor Advisory vendor-advisory
https://allura.apache.org/posts/2023-allura-1.16.0.html
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx
Scores
CVSS v3
4.9
EPSS
0.0031
EPSS Percentile
54.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-20
CWE-73
Status
published
Products (1)
apache/allura
1.0.1 - 1.16.0
Published
Nov 07, 2023
Tracked Since
Feb 18, 2026