{"api_version":"1","generated_at":"2026-04-22T17:48:41+00:00","cve":"CVE-2023-46851","urls":{"html":"https://cve.report/CVE-2023-46851","api":"https://cve.report/api/cve/CVE-2023-46851.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-46851","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-46851"},"summary":{"title":"CVE-2023-46851","description":"Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them.  Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution.\n\nThis issue affects Apache Allura from 1.0.1 through 1.15.0.\n\nUsers are recommended to upgrade to version 1.16.0, which fixes the issue.  If you are unable to upgrade, set \"disable_entry_points.allura.importers = forge-tracker, forge-discussion\" in your .ini config file.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2023-11-07 09:15:00","updated_at":"2023-11-15 14:13:00"},"problem_types":[],"metrics":[],"references":[{"url":"https://allura.apache.org/posts/2023-allura-1.16.0.html","name":"https://allura.apache.org/posts/2023-allura-1.16.0.html","refsource":"","tags":[],"title":"Apache Allura 1.16.0 released with critical security fix","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx","name":"https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-46851","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46851","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"46851","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"allura","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-46851","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them.  Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution.\n\nThis issue affects Apache Allura from 1.0.1 through 1.15.0.\n\nUsers are recommended to upgrade to version 1.16.0, which fixes the issue.  If you are unable to upgrade, set \"disable_entry_points.allura.importers = forge-tracker, forge-discussion\" in your .ini config file.\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20 Improper Input Validation","cweId":"CWE-20"}]},{"description":[{"lang":"eng","value":"CWE-73 External Control of File Name or Path","cweId":"CWE-73"}]},{"description":[{"lang":"eng","value":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","cweId":"CWE-200"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache Allura","version":{"version_data":[{"version_affected":"<=","version_name":"1.0.1","version_value":"1.15.0"}]}}]}}]}},"references":{"reference_data":[{"url":"https://allura.apache.org/posts/2023-allura-1.16.0.html","refsource":"MISC","name":"https://allura.apache.org/posts/2023-allura-1.16.0.html"},{"url":"https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx","refsource":"MISC","name":"https://lists.apache.org/thread/hqk0vltl7qgrq215zgwjfoj0khbov0gx"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"EXTERNAL"},"credits":[{"lang":"en","value":"Stefan Schiller (Sonar)"}]},"nvd":{"publishedDate":"2023-11-07 09:15:00","lastModifiedDate":"2023-11-15 14:13:00","problem_types":[],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.2,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.1","versionEndExcluding":"1.16.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}