Vulnerability Name:

CVE-2020-17525 (CCN-196602)

Assigned:2020-08-12
Published:2021-02-10
Updated:2022-01-01
Summary:Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-476
CWE-416
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-17525

Source: XF
Type: UNKNOWN
apache-cve202017525-dos(196602)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210504 [SECURITY] [DLA 2646-1] subversion security update

Source: CCN
Type: oss-sec Mailing List, Wed, 10 Feb 2021 14:36:33 +0100
[SECURITY][ANNOUNCE] Apache Subversion 1.14.1 released

Source: CCN
Type: oss-sec Mailing List, Wed, 10 Feb 2021 14:37:00 +0100
[SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released

Source: CCN
Type: Apache Web site
Apache Subversion

Source: MISC
Type: Exploit, Patch, Vendor Advisory
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:subversion:*:*:*:*:*:*:*:* (Version >= 1.9.0 and < 1.10.7)
  • OR cpe:/a:apache:subversion:*:*:*:*:*:*:*:* (Version >= 1.11.0 and < 1.14.1)

  • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:apache:subversion:0.14.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:subversion:1.10.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8066
    P
    subversion-bash-completion-1.14.1-150400.3.8 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:8010
    P
    glibc-devel-32bit-2.31-150300.46.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7811
    P
    subversion-1.14.1-150400.3.8 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:629
    P
    Security update for python-Flask-Security-Too (Moderate) (in QA)
    2022-09-27
    oval:org.opensuse.security:def:93147
    P
    (Important)
    2022-07-06
    oval:org.opensuse.security:def:3205
    P
    libltdl7-2.4.2-17.4.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3429
    P
    apache-commons-httpclient-3.1-4.364 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3555
    P
    libXdmcp6-1.1.1-12.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3529
    P
    jakarta-commons-fileupload-1.1.1-122.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94835
    P
    subversion-1.14.1-150400.3.8 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94667
    P
    libncurses6-32bit-6.1-5.9.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95059
    P
    subversion-bash-completion-1.14.1-150400.3.8 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94941
    P
    libfribidi0-32bit-1.0.10-150400.1.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95159
    P
    subversion-server-1.14.1-150400.3.8 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:313
    P
    subversion-1.10.6-3.15.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:99192
    P
    (Important)
    2022-03-29
    oval:org.opensuse.security:def:100096
    P
    (Moderate)
    2022-03-14
    oval:org.opensuse.security:def:1242
    P
    Security update for cyrus-sasl (Important)
    2022-03-07
    oval:org.opensuse.security:def:101654
    P
    Security update for vim (Important)
    2022-03-04
    oval:org.opensuse.security:def:93300
    P
    (Important)
    2022-01-25
    oval:org.opensuse.security:def:112861
    P
    libsvn_auth_gnome_keyring-1-0-1.14.1-1.11 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:5934
    P
    Security update for glib-networking (Important)
    2021-12-13
    oval:org.opensuse.security:def:106322
    P
    libsvn_auth_gnome_keyring-1-0-1.14.1-1.11 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:63379
    P
    subversion-server-1.10.6-3.15.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:101405
    P
    subversion-server-1.10.6-3.15.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2290
    P
    subversion-server-1.10.6-3.15.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:101380
    P
    libvirt-7.1.0-4.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:101089
    P
    subversion-1.10.6-3.15.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72072
    P
    subversion-1.10.6-3.15.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1955
    P
    subversion-bash-completion-1.10.6-3.15.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72763
    P
    subversion-bash-completion-1.10.6-3.15.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62331
    P
    subversion-1.10.6-3.15.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63044
    P
    subversion-bash-completion-1.10.6-3.15.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:102195
    P
    Security update for redis (Important)
    2021-07-12
    oval:org.opensuse.security:def:99387
    P
    (Important)
    2021-06-18
    oval:com.redhat.rhsa:def:20210507
    P
    RHSA-2021:0507: subversion:1.10 security update (Important)
    2021-02-15
    oval:org.opensuse.security:def:111219
    P
    Security update for subversion (Important)
    2021-02-12
    oval:org.opensuse.security:def:9637
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:96091
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:4532
    P
    Security update for the Linux Kernel (Live Patch 6 for SLE 12 SP5) (Important)
    2021-02-10
    oval:org.opensuse.security:def:92835
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:108861
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:69976
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:99586
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:8886
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:92242
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:117560
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:69099
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:76091
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:9836
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:98997
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:92994
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:109447
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:70337
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:97210
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:64644
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:99785
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:9081
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:92437
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:117834
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:108046
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:69583
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:10197
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:26189
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:70527
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:65621
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:73766
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:9443
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:95482
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:92636
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:118543
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:108320
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:69777
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:102781
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:10387
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:8696
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:92047
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:5176
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:67023
    P
    Security update for subversion (Important)
    2021-02-10
    oval:org.opensuse.security:def:74689
    P
    Security update for subversion (Important)
    2021-02-10
    BACK
    apache subversion *
    apache subversion *
    debian debian linux 9.0
    apache subversion 0.14.0
    apache subversion 1.10.0