Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2022/Jul/18 | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/ | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/ | Mailing List Third Party Advisory |
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt | Exploit Patch Vendor Advisory |
https://support.apple.com/kb/HT213345 | Third Party Advisory |
https://www.debian.org/security/2022/dsa-5119 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
11 Feb 2023, 17:44
Type | Values Removed | Values Added |
---|---|---|
References | (FULLDISC) http://seclists.org/fulldisclosure/2022/Jul/18 - Mailing List, Third Party Advisory | |
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/ - Mailing List, Third Party Advisory | |
References | (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/ - Mailing List, Third Party Advisory |
20 Dec 2022, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
19 Oct 2022, 18:52
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* |
|
First Time |
Apple macos
Apple Fedoraproject Fedoraproject fedora |
|
CWE | CWE-200 | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2022/Jul/18 - Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/ - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT213345 - Third Party Advisory |
22 Jul 2022, 06:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Jul 2022, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 14:38
Type | Values Removed | Values Added |
---|---|---|
First Time |
Debian debian Linux
Debian Apache Apache subversion |
|
CPE | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 3.5
v3 : 4.3 |
CWE | CWE-863 | |
References | (DEBIAN) https://www.debian.org/security/2022/dsa-5119 - Third Party Advisory | |
References | (MISC) https://subversion.apache.org/security/CVE-2021-28544-advisory.txt - Exploit, Patch, Vendor Advisory |
13 Apr 2022, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Apr 2022, 18:52
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-12 18:15
Updated : 2023-12-10 14:22
NVD link : CVE-2021-28544
Mitre link : CVE-2021-28544
CVE.ORG link : CVE-2021-28544
JSON object : View
Products Affected
fedoraproject
- fedora
apple
- macos
debian
- debian_linux
apache
- subversion
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor