You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@allura.apache.org by Dave Brondsema <br...@apache.org> on 2018/02/06 17:55:10 UTC

[SECURITY] CVE-2018-1299 Apache Allura directory traversal vulnerability

CVE-2018-1299 Apache Allura directory traversal vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Allura 1.7.0 and earlier

Description:
Unauthenticated attackers may retrieve arbitrary files through the Allura web
application.  Some webservers used with Allura, such as Nginx, Apache/mod_wsgi
or paster may prevent the attack from succeeding.  Others, such as gunicorn do
not prevent it and leave Allura vulnerable.

Mitigation:
Users of vulnerable webservers with Allura should upgrade to Allura 1.8.0
immediately.

Credit:
This issue was discovered by Everardo Padilla Saca