Apache Allura security advisories
Security information for Apache Allura
Reporting
Do you want disclose a potential security issue for Apache Allura? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Stored authenticated XSS
CVE-2024-38379 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-06T14:32:32.361Z
Affected
- Apache Allura from 1.4.0 through 1.17.0
Description
Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.
This issue affects Apache Allura: from 1.4.0 through 1.17.0.
Users are recommended to upgrade to version 1.17.1, which fixes the issue.
References
Credits
- Ă–mer “WASP” Akincir (finder)
sensitive information exposure via DNS rebinding
CVE-2024-36471 [CVE] [CVE json] [OSV json]
Last updated: 2024-06-10T21:55:03.113Z
Affected
- Apache Allura from 1.0.1 through 1.16.0
Description
Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.
References
Credits
- truff https://x.com/truffzor (finder)
sensitive information exposure via import
CVE-2023-46851 [CVE] [CVE json] [OSV json]
Last updated: 2023-11-07T08:56:30.662Z
Affected
- Apache Allura from 1.0.1 through 1.15.0
Description
Users are recommended to upgrade to version 1.16.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.
References
- https://allura.apache.org/posts/2023-allura-1.16.0.html
- https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx
Credits
- Stefan Schiller (Sonar) (finder)