[SECURITY] CVE-2018-1299 Apache Allura directory traversal vulnerability

[Dave Brondsema <brondsem () apache org>]

CVE-2018-1299 Apache Allura directory traversal vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Allura 1.7.0 and earlier

Description:
Unauthenticated attackers may retrieve arbitrary files through the Allura web
application.  Some webservers used with Allura, such as Nginx, Apache/mod_wsgi
or paster may prevent the attack from succeeding.  Others, such as gunicorn do
not prevent it and leave Allura vulnerable.

Mitigation:
Users of vulnerable webservers with Allura should upgrade to Allura 1.8.0
immediately.

Credit:
This issue was discovered by Everardo Padilla Saca