In Apache Allura before 1.8.0, unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi or paster may prevent the attack from succeeding. Others, such as gunicorn do not prevent it and leave Allura vulnerable.
[
{
"product": "Apache Allura",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0 to 1.7.0"
}
]
}
]