Evgeny Kotkov

**Name of the Vulnerable Software and Affected Versions** Apache Subversion versions prior to the fixed version **Description** The issue is related to improper authorization in the centralized version control system Apache Subversion. Exploitation of this issue allows a remote attacker to access confidential data. Specifically, Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original, revealing the fact that the node was copied. Only the 'copyfrom' path is revealed, not its contents. Both httpd and svnserve servers are vulnerable. **Recommendations** As a temporary workaround, consider restricting access to the `copyfrom` path to minimize the risk of exploitation. For versions prior to the fixed version, update to the latest version to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Subversion versions 1.6.0 through 1.7.19 Subversion versions 1.8.0 through 1.8.11 **Description** The issue is related to resource management errors in the mod dav svn and svnserve servers of the Subversion centralized version control system. Exploitation of this issue may allow a remote attacker to cause a denial of service when processing certain combinations of parameters related to dynamically evaluated revision numbers. This can lead to an assertion failure and abort. **Recommendations** For Subversion versions 1.6.0 through 1.7.19, update to a version outside of this range to resolve the issue. For Subversion versions 1.8.0 through 1.8.11, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the mod dav svn and svnserve servers until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Subversion versions 1.8.0 through 1.8.11 **Description** The issue allows remote attackers to cause a denial of service, specifically memory consumption, by sending a large number of REPORT requests. This triggers the traversal of FSFS repository nodes, leading to the denial of service. **Recommendations** For Subversion versions 1.8.0 through 1.8.11, consider restricting access to the mod dav svn server to minimize the risk of exploitation until a patch is available. As a temporary workaround, limiting the number of REPORT requests from a single source may also help mitigate the issue.