CVE-2018-1299 Apache Allura directory traversal vulnerability Severity: Important
Vendor: The Apache Software Foundation Versions Affected: Apache Allura 1.7.0 and earlier Description: Unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi or paster may prevent the attack from succeeding. Others, such as gunicorn do not prevent it and leave Allura vulnerable. Mitigation: Users of vulnerable webservers with Allura should upgrade to Allura 1.8.0 immediately. Credit: This issue was discovered by Everardo Padilla Saca
