CVE-2021-28544

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Subversion versions prior to the fixed version

Description The issue is related to improper authorization in the centralized version control system Apache Subversion. Exploitation of this issue allows a remote attacker to access confidential data. Specifically, Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original, revealing the fact that the node was copied. Only the 'copyfrom' path is revealed, not its contents. Both httpd and svnserve servers are vulnerable.

Recommendations As a temporary workaround, consider restricting access to the copyfrom path to minimize the risk of exploitation. For versions prior to the fixed version, update to the latest version to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Information Disclosure

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-863

Related Identifiers

ALT-PU-2022-1700

ALT-PU-2023-7024

ALT-PU-2024-11076

ALT-PU-2024-17145

AZL-9367

BDU:2022-05773

BIT-SUBVERSION-2021-28544

CVE-2021-28544

DSA-5119-1

MGASA-2022-0140

OESA-2022-1647

OPENSUSE-SU-2022_1162-1

OPENSUSE-SU-2024:12007-1

ROSA-SA-2023-2216

SUSE-SU-2022:1161-1

SUSE-SU-2022:1162-1

SUSE-SU-2022:1483-1

SUSE-SU-2022_1161-1

SUSE-SU-2022_1162-1

SUSE-SU-2022_1483-1

USN-5372-1

USN-5450-1

Affected Products

Alt Linux

Apache Subversion

Astra Linux

Linuxmint

Apple Macos

Suse

Ubuntu

CVE-2021-28544

Weakness Enumeration

Related Identifiers

Affected Products

References · 61