CVE-2023-46851
N/A
N/A
Summary
Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them. Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution.
This issue affects Apache Allura from 1.0.1 through 1.15.0.
Users are recommended to upgrade to version 1.16.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Allura | 1.0.1 <= 1.15.0 | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
- CWE-73: CWE-73 External Control of File Name or Path
- CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CVE Program Container
Additional References
- https://allura.apache.org/posts/2023-allura-1.16.0.html
- https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://allura.apache.org/posts/2023-allura-1.16.0.html
- https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.