Vulnerability CVE-2020-17525

Vulnerability Name:

CVE-2020-17525 (CCN-196602)

Assigned:

2020-08-12

Published:

2021-02-10

Updated:

2022-01-01

Summary:

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-476
CWE-416

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2020-17525

Source: XF
Type: UNKNOWN
apache-cve202017525-dos(196602)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210504 [SECURITY] [DLA 2646-1] subversion security update

Source: CCN
Type: oss-sec Mailing List, Wed, 10 Feb 2021 14:36:33 +0100
[SECURITY][ANNOUNCE] Apache Subversion 1.14.1 released

Source: CCN
Type: oss-sec Mailing List, Wed, 10 Feb 2021 14:37:00 +0100
[SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released

Source: CCN
Type: Apache Web site
Apache Subversion

Source: MISC
Type: Exploit, Patch, Vendor Advisory
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:subversion:*:*:*:*:*:*:*:* (Version >= 1.9.0 and < 1.10.7)

OR cpe:/a:apache:subversion:*:*:*:*:*:*:*:* (Version >= 1.11.0 and < 1.14.1)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:subversion:0.14.0:*:*:*:*:*:*:*

OR cpe:/a:apache:subversion:1.10.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8066	P	subversion-bash-completion-1.14.1-150400.3.8 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:8010	P	glibc-devel-32bit-2.31-150300.46.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:7811	P	subversion-1.14.1-150400.3.8 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:629	P	Security update for python-Flask-Security-Too (Moderate) (in QA)	2022-09-27
oval:org.opensuse.security:def:93147	P	(Important)	2022-07-06
oval:org.opensuse.security:def:3205	P	libltdl7-2.4.2-17.4.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3429	P	apache-commons-httpclient-3.1-4.364 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3555	P	libXdmcp6-1.1.1-12.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3529	P	jakarta-commons-fileupload-1.1.1-122.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94835	P	subversion-1.14.1-150400.3.8 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94667	P	libncurses6-32bit-6.1-5.9.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95059	P	subversion-bash-completion-1.14.1-150400.3.8 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94941	P	libfribidi0-32bit-1.0.10-150400.1.7 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95159	P	subversion-server-1.14.1-150400.3.8 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:313	P	subversion-1.10.6-3.15.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:99192	P	(Important)	2022-03-29
oval:org.opensuse.security:def:100096	P	(Moderate)	2022-03-14
oval:org.opensuse.security:def:1242	P	Security update for cyrus-sasl (Important)	2022-03-07
oval:org.opensuse.security:def:101654	P	Security update for vim (Important)	2022-03-04
oval:org.opensuse.security:def:93300	P	(Important)	2022-01-25
oval:org.opensuse.security:def:112861	P	libsvn_auth_gnome_keyring-1-0-1.14.1-1.11 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:5934	P	Security update for glib-networking (Important)	2021-12-13
oval:org.opensuse.security:def:106322	P	libsvn_auth_gnome_keyring-1-0-1.14.1-1.11 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:63379	P	subversion-server-1.10.6-3.15.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101405	P	subversion-server-1.10.6-3.15.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2290	P	subversion-server-1.10.6-3.15.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101380	P	libvirt-7.1.0-4.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101089	P	subversion-1.10.6-3.15.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72072	P	subversion-1.10.6-3.15.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1955	P	subversion-bash-completion-1.10.6-3.15.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72763	P	subversion-bash-completion-1.10.6-3.15.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62331	P	subversion-1.10.6-3.15.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63044	P	subversion-bash-completion-1.10.6-3.15.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:102195	P	Security update for redis (Important)	2021-07-12
oval:org.opensuse.security:def:99387	P	(Important)	2021-06-18
oval:com.redhat.rhsa:def:20210507	P	RHSA-2021:0507: subversion:1.10 security update (Important)	2021-02-15
oval:org.opensuse.security:def:111219	P	Security update for subversion (Important)	2021-02-12
oval:org.opensuse.security:def:9637	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:96091	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:4532	P	Security update for the Linux Kernel (Live Patch 6 for SLE 12 SP5) (Important)	2021-02-10
oval:org.opensuse.security:def:92835	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:108861	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:69976	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:99586	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:8886	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:92242	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:117560	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:69099	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:76091	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:9836	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:98997	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:92994	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:109447	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:70337	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:97210	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:64644	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:99785	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:9081	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:92437	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:117834	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:108046	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:69583	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:10197	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:26189	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:70527	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:65621	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:73766	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:9443	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:95482	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:92636	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:118543	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:108320	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:69777	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:102781	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:10387	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:8696	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:92047	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:5176	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:67023	P	Security update for subversion (Important)	2021-02-10
oval:org.opensuse.security:def:74689	P	Security update for subversion (Important)	2021-02-10

BACK