Truffzor

**Name of the Vulnerable Software and Affected Versions** Apache Allura versions 1.0.1 through 1.16.0 **Description** The import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them. **Recommendations** For versions 1.0.1 through 1.16.0, upgrade to version 1.17.0 to fix the issue. If unable to upgrade, set `disable entry points.allura.importers = forge-tracker, forge-discussion` in the .ini config file as a temporary workaround.