Gentoo FoundationGLSA-200409-35Subversion: Metadata information leak
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.029 Low
EPSS
Percentile
90.8%
Background
Subversion is a versioning system designed to be a replacement for CVS. mod_authz_svn is an Apache module to do path-based authentication for Subversion repositories.
Description
There is a bug in mod_authz_svn that causes it to reveal logged metadata regarding commits to protected areas.
Impact
Protected files themselves will not be revealed, but an attacker could use the metadata to reveal the existence of protected areas, such as paths, file versions, and the commit logs from those areas.
Workaround
Rather than using mod_authz_svn, move protected areas into seperate repositories and use native Apache authentication to make these repositories unreadable.
Resolution
All Subversion users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=dev-util/subversion-1.0.8"
# emerge ">=dev-util/subversion-1.0.8"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | dev-util/subversion | < 1.0.8 | UNKNOWN |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.029 Low
EPSS
Percentile
90.8%