Date: Tue, 6 Feb 2018 12:55:10 -0500 From: Dave Brondsema <brondsem@...che.org> To: dev@...ura.apache.org, users@...ura.apache.org, announce@...che.org, oss-security@...ts.openwall.com, security@...che.org Subject: [SECURITY] CVE-2018-1299 Apache Allura directory traversal vulnerability CVE-2018-1299 Apache Allura directory traversal vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Allura 1.7.0 and earlier Description: Unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi or paster may prevent the attack from succeeding. Others, such as gunicorn do not prevent it and leave Allura vulnerable. Mitigation: Users of vulnerable webservers with Allura should upgrade to Allura 1.8.0 immediately. Credit: This issue was discovered by Everardo Padilla Saca
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.