Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
21 Nov 2024, 05:59
Type | Values Removed | Values Added |
---|---|---|
References | () http://seclists.org/fulldisclosure/2022/Jul/18 - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/ - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/ - Mailing List, Third Party Advisory | |
References | () https://subversion.apache.org/security/CVE-2021-28544-advisory.txt - Exploit, Patch, Vendor Advisory | |
References | () https://support.apple.com/kb/HT213345 - Third Party Advisory | |
References | () https://www.debian.org/security/2022/dsa-5119 - Third Party Advisory |
Information
Published : 2022-04-12 18:15
Updated : 2024-11-21 05:59
NVD link : CVE-2021-28544
Mitre link : CVE-2021-28544
CVE.ORG link : CVE-2021-28544
JSON object : View
Products Affected
debian
- debian_linux
apache
- subversion
fedoraproject
- fedora
apple
- macos
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor