CVE-2024-36471

{"id": "CVE-2024-36471", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-06-10T22:15:11.893", "references": [{"url": "https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh", "source": "security@apache.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL.\u00a0 Project administrators can run these imports, which could cause Allura to read from internal services and expose them.\n\nThis issue affects Apache Allura from 1.0.1 through 1.16.0.\n\nUsers are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set \"disable_entry_points.allura.importers = forge-tracker, forge-discussion\" in your .ini config file.\n\n"}, {"lang": "es", "value": "La funcionalidad de importaci\u00f3n es vulnerable a ataques de revinculaci\u00f3n de DNS entre la verificaci\u00f3n y el procesamiento de la URL. Los administradores de proyectos pueden ejecutar estas importaciones, lo que podr\u00eda hacer que Allura lea servicios internos y los exponga. Este problema afecta a Apache Allura desde la versi\u00f3n 1.0.1 hasta la 1.16.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.17.0, que soluciona el problema. Si no puede actualizar, configure \"disable_entry_points.allura.importers = forge-tracker, forge-discussion\" en su archivo de configuraci\u00f3n .ini."}], "lastModified": "2024-07-03T02:03:13.647", "sourceIdentifier": "security@apache.org"}