oss-sec mailing list archives
[SECURITY] CVE-2018-1299 Apache Allura directory traversal vulnerability
From: Dave Brondsema <brondsem () apache org>
Date: Tue, 6 Feb 2018 12:55:10 -0500
CVE-2018-1299 Apache Allura directory traversal vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Allura 1.7.0 and earlier Description: Unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi or paster may prevent the attack from succeeding. Others, such as gunicorn do not prevent it and leave Allura vulnerable. Mitigation: Users of vulnerable webservers with Allura should upgrade to Allura 1.8.0 immediately. Credit: This issue was discovered by Everardo Padilla Saca
Current thread:
- [SECURITY] CVE-2018-1299 Apache Allura directory traversal vulnerability Dave Brondsema (Feb 06)