Apache Allura <1.16: allura.importers URL injection reads local FS
CVE-2023-46851 Published on November 7, 2023
Apache Allura: sensitive information exposure via import
Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them. Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution.
This issue affects Apache Allura from 1.0.1 through 1.15.0.
Users are recommended to upgrade to version 1.16.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.
Weakness Types
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
External Control of File Name or Path
The software allows user input to control or influence paths or file names that are used in filesystem operations.
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2023-46851 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2023-46851
Want to know whenever a new CVE is published for Apache Allura? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Allura:- Version 1.0.1, <= 1.15.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.