CVE-2024-36471

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-36471

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36471.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-36471

Published

2024-06-10T22:15:11.893Z

Modified

2026-04-02T12:17:05.675501Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them.

This issue affects Apache Allura from 1.0.1 through 1.16.0.

Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disableentrypoints.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

References

Affected packages

Git / github.com/apache/allura

Affected ranges

Type

GIT

Repo

https://github.com/apache/allura

Events

Introduced

924e0204706aeb5367e60df19ba38b26ac4474a3

Fixed

3a72196e711051174bfad608e517e7161f496426

Database specific

{
    "versions": [
        {
            "introduced": "1.0.1"
        },
        {
            "fixed": "1.17.0"
        }
    ]
}

Affected versions

asf_release_1.*

asf_release_1.0.1

asf_release_1.1.0

asf_release_1.2.0

asf_release_1.2.1

asf_release_1.3.0

asf_release_1.3.1

asf_release_1.3.2

rel/1.*

rel/1.0.1

rel/1.1.0

rel/1.10.0

rel/1.11.0

rel/1.11.1

rel/1.12.0

rel/1.13.0

rel/1.14.0

rel/1.15.0

rel/1.16.0

rel/1.2.0

rel/1.2.1

rel/1.3.0

rel/1.3.1

rel/1.3.2

rel/1.4.0

rel/1.5.0

rel/1.6.0

rel/1.7.0

rel/1.8.0

rel/1.8.1

rel/1.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36471.json"