Home > Vulnerability Database > CVE-2024-36471

Mend.io Vulnerability Database

CVE-2024-36471

Date: June 10, 2024

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

Language: Python

Severity Score

7.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-36471

Url: https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh

Url: https://github.com/apache/allura/commit/156ec6f093c5537a815e004d088013bd68333fbe

Url: http://www.openwall.com/lists/oss-security/2024/06/10/1

Url: https://www.mend.io/vulnerability-database/CVE-2024-36471

Severity Score

7.5

Weakness Type (CWE)

Improper Input Validation

CWE-20

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Server-Side Request Forgery (SSRF)

CWE-918

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-36471

Date: June 10, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?