Apache Allura: sensitive information exposure via DNS rebinding

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL.  Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

N/A

输入验证不恰当

Apache Allura 代码问题漏洞

Apache Allura是美国阿帕奇（Apache）基金会的一套开源项目托管平台。该平台支持管理源代码存储库、错误报告、维基页面和博客等。 Apache Allura 1.0.1版本至1.16.0版本存在代码问题漏洞，该漏洞源于导入功能在 URL 验证和处理之间容易受到 DNS 重新绑定攻击。

N/A

N/A