Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-46851

UNKNOWN
Published 2023-11-07T08:56:35.172Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-46851. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them.  Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution.

This issue affects Apache Allura from 1.0.1 through 1.15.0.

Users are recommended to upgrade to version 1.16.0, which fixes the issue.  If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Allura

Affected Versions:

1.0.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-7f2c-c54p-7m36

Advisory Details

Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them.  Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution. This issue affects Apache Allura from 1.0.1 through 1.15.0. Users are recommended to upgrade to version 1.16.0, which fixes the issue.  If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-46851
WEB https://allura.apache.org/posts/2023-allura-1.16.0.html
WEB https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx

Advisory provided by GitHub Security Advisory Database. Published: November 15, 2023, Modified: November 15, 2023

References

https://allura.apache.org/posts/2023-allura-1.16.0.html
https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx
Published: 2023-11-07T08:56:35.172Z
Last Modified: 2024-09-04T20:12:28.257Z
Copied to clipboard!