CVE-2024-36471

Name of the Vulnerable Software and Affected Versions Apache Allura versions 1.0.1 through 1.16.0

Description The import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them.

Recommendations For versions 1.0.1 through 1.16.0, upgrade to version 1.17.0 to fix the issue. If unable to upgrade, set disable entry points.allura.importers = forge-tracker, forge-discussion in the .ini config file as a temporary workaround.