You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@allura.apache.org by Dave Brondsema <br...@apache.org> on 2018/02/06 17:55:10 UTC
[SECURITY] CVE-2018-1299 Apache Allura directory traversal
vulnerability
CVE-2018-1299 Apache Allura directory traversal vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Allura 1.7.0 and earlier
Description:
Unauthenticated attackers may retrieve arbitrary files through the Allura web
application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi
or paster may prevent the attack from succeeding. Others, such as gunicorn do
not prevent it and leave Allura vulnerable.
Mitigation:
Users of vulnerable webservers with Allura should upgrade to Allura 1.8.0
immediately.
Credit:
This issue was discovered by Everardo Padilla Saca