CVE-2024-36471

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/06/10/1	Mailing List Third Party Advisory
https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*

History

15 Jul 2025, 16:36

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh -~~	() https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh - Mailing List, Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2024/06/10/1 -~~	() http://www.openwall.com/lists/oss-security/2024/06/10/1 - Mailing List, Third Party Advisory
CPE		cpe:2.3:a:apache:allura::::::::
First Time		Apache allura Apache

Information

Published : 2024-06-10 22:15

Updated : 2025-07-15 16:36

NVD link : CVE-2024-36471

Mitre link : CVE-2024-36471

CVE.ORG link : CVE-2024-36471

JSON object : View

Products Affected

apache

allura

CWE

CWE-20

Improper Input Validation

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-36471", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-06-10T22:15:11.893", "references": [{"url": "https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/10/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL.\u00a0 Project administrators can run these imports, which could cause Allura to read from internal services and expose them.\n\nThis issue affects Apache Allura from 1.0.1 through 1.16.0.\n\nUsers are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set \"disable_entry_points.allura.importers = forge-tracker, forge-discussion\" in your .ini config file.\n\n"}, {"lang": "es", "value": "La funcionalidad de importaci\u00f3n es vulnerable a ataques de revinculaci\u00f3n de DNS entre la verificaci\u00f3n y el procesamiento de la URL. Los administradores de proyectos pueden ejecutar estas importaciones, lo que podr\u00eda hacer que Allura lea servicios internos y los exponga. Este problema afecta a Apache Allura desde la versi\u00f3n 1.0.1 hasta la 1.16.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.17.0, que soluciona el problema. Si no puede actualizar, configure \"disable_entry_points.allura.importers = forge-tracker, forge-discussion\" en su archivo de configuraci\u00f3n .ini."}], "lastModified": "2025-07-15T16:36:48.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76E69316-1D72-4CBB-AA0C-100B63D70004", "versionEndExcluding": "1.17.0", "versionStartIncluding": "1.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}