CVE-2023-46851

Name of the Vulnerable Software and Affected Versions Apache Allura versions 1.0.1 through 1.15.0

Description The issue allows project administrators to import attachments with unrestricted URL values, potentially causing Apache Allura to read local files and expose them. This exposure can lead to other exploits, such as session hijacking or remote code execution.

Recommendations For versions 1.0.1 through 1.15.0, upgrade to version 1.16.0 to fix the issue. If upgrading is not possible, set "disable entry points.allura.importers = forge-tracker, forge-discussion" in the .ini config file as a temporary workaround.