Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them.

This issue affects Apache Allura from 1.0.1 through 1.16.0.

Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

Related CVEs

CVE-2024-36471

Key Information

GHSA ID

GHSA-2q7f-pr29-qfh5

Published

June 11, 2024 12:30 AM

Last Modified

July 15, 2025 6:31 PM

CVSS Score

7.5 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.