प्लेटफ़ॉर्म
other
घटक
allegra
में ठीक किया गया
7.5.1
CVE-2023-51639 is a critical directory traversal vulnerability discovered in Allegra, allowing attackers to bypass authentication and potentially access sensitive files. This flaw arises from inadequate validation of user-supplied paths within the downloadExportedChart action. Affected versions include 7.5.0.24 through 7.5.0.24, and a fix is available in version 7.5.1.
The impact of CVE-2023-51639 is severe due to the ease of exploitation and the potential for unauthorized access. An attacker can bypass authentication entirely, meaning no credentials are required to trigger the vulnerability. This allows them to traverse the file system and potentially download confidential data, modify system files, or execute arbitrary code if the underlying system has further vulnerabilities. The lack of authentication makes this vulnerability particularly concerning, as it significantly broadens the attack surface and lowers the barrier to entry for malicious actors. Successful exploitation could lead to a complete compromise of the Allegra installation and potentially the underlying server.
CVE-2023-51639 was publicly disclosed on November 22, 2024. The vulnerability was reported to ZDI (ZDI-CAN-22361). Given the ease of exploitation and the critical CVSS score, it is likely that public proof-of-concept exploits will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations using Allegra for data visualization and reporting are at risk, particularly those running the affected versions (7.5.0.24–7.5.0.24). Shared hosting environments where multiple users share the same Allegra instance are especially vulnerable, as a compromised account could be used to exploit this vulnerability and access data belonging to other users.
• linux / server: Monitor access logs for requests to the downloadExportedChart endpoint with unusual or manipulated path parameters. Use grep to search for patterns indicative of directory traversal attempts (e.g., ../, ..\).
grep '../' /var/log/apache2/access.log• generic web: Use curl to test the downloadExportedChart endpoint with various path traversal payloads. Inspect the response headers and content for signs of unauthorized file access.
curl 'http://allegra-server/downloadExportedChart?file=../../../../etc/passwd' -sdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.51% (66% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2023-51639 is to upgrade Allegra to version 7.5.1 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds. While a direct WAF rule is difficult without knowing the exact file paths being targeted, restricting access to the downloadExportedChart endpoint and implementing strict input validation on any file path parameters could offer some limited protection. Thoroughly review and restrict file system permissions to minimize the potential damage from a successful attack. After upgrading, confirm the vulnerability is resolved by attempting to access a file outside of the intended directory via the downloadExportedChart action; it should be denied.
Allegra को संस्करण 7.5.1 या बाद के संस्करण में अपडेट करें। यह संस्करण ऑथेंटिकेशन बाईपास और डाइरेक्टरी ट्रैवर्सल भेद्यता को ठीक करता है। अपडेट के बारे में अधिक जानकारी के लिए संस्करण 7.5.1 के रिलीज़ नोट्स देखें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2023-51639 is a critical vulnerability in Allegra allowing attackers to bypass authentication and access files due to insufficient path validation. It affects versions 7.5.0.24–7.5.0.24.
You are affected if you are running Allegra versions 7.5.0.24 through 7.5.0.24. Check your version and upgrade immediately.
Upgrade Allegra to version 7.5.1 or later to resolve the vulnerability. If upgrading is not immediately possible, implement temporary workarounds like restricting access to the vulnerable endpoint.
While no active exploitation has been confirmed, the ease of exploitation and critical severity suggest it is likely to be targeted. Monitor security advisories and threat intelligence.
Refer to the Allegra security advisory for details and updates: [https://www.allegra.de/security-advisories/](https://www.allegra.de/security-advisories/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।