NVD

Vulnerability Change Records for CVE-2024-36471

Action	Type	New Value
Added	Description	Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.
Added	CWE	Apache Software Foundation CWE-20
Added	CWE	Apache Software Foundation CWE-200
Added	CWE	Apache Software Foundation CWE-918
Added	Reference	Apache Software Foundation https://lists.apache.org/thread/g43164t4bcp0tjwt4opxyks4svm8kvbh [No types assigned]