Skip to content

Critical code flaw in SourceForge puts 20 million users at risk

  • by
  • 2 min read

A critical arbitrary file read vulnerability tracked as CVE-2023-46851 was discovered within the Apache Allura software, which forms the backbone of SourceForge, posing a threat to the platform’s security and affecting more than 20 million users worldwide.

This vulnerability allows the threat actors to gain unauthorised access, manipulate data, spread malicious software, hijack sessions, and execute remote code.

The detection of this vulnerability raised concerns due to its potential exploitation, which could have led to a complete compromise of SourceForge, a web-based repository of open-source software projects. This instance also underscores the considerable risk associated with vulnerabilities in centralised software distribution platforms where a single exploit can have widespread repercussions.

“Apache Allura versions 1.15.0 and below are prone to an arbitrary file read vulnerability,” noted researchers. “There were no signs of in-the-wild exploitation.”

The arbitrary file vulnerability allowed threat actors to gain unauthorised access to sensitive files and data within SourceForge’s systems. By crafting a malicious JSON file with a specially crafted attachment URL pointing to a local file, attackers could manipulate the import feature in SourceForge, triggering a sequence of actions that led to the unauthorised retrieval of files from the server.

The Discussion tool. | Source: Sonar

Specifically, attackers leveraged the discussion import feature in SourceForge, which allowed users to self-register accounts and create projects with various tools, including the Discussion tool.

By importing a specially crafted JSON file with an attachment URL pointing to a local file on the server, attackers exploited the vulnerability in the add_posts method of the ForgeDiscussionImporter class.

This method, responsible for re-creating posts during import, inadvertently passed the malicious attachment URL to the File class constructor, eventually leading to a call to ‘urlopen’ and unauthorised retrieval of files from the server.

Through this attack process, threat actors could have accessed sensitive data, including session validation keys, potentially paving the way for remote code execution and further compromise of SourceForge’s systems.

SourceForge has completely disabled the discussion import feature, has applied the patch to fix the flaw and released Apache Allura 1.16.0.

In the News: Brute-force attacks escalate globally on VPNs and web services

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>