Apache Subversion
By the Year
In 2024 there have been 0 vulnerabilities in Apache Subversion . Subversion did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 2 | 5.90 |
| 2021 | 1 | 7.50 |
| 2020 | 0 | 0.00 |
| 2019 | 3 | 7.17 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Subversion vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Subversion Security Vulnerabilities
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths
CVE-2021-28544
4.3 - Medium
- April 12, 2022
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.
Information Disclosure
Subversion's mod_dav_svn is vulnerable to memory corruption
CVE-2022-24070
7.5 - High
- April 12, 2022
Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.
Dangling pointer
Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL
CVE-2020-17525
7.5 - High
- March 17, 2021
Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7
NULL Pointer Dereference
In Apache Subversion versions up to and including 1.9.10
CVE-2019-0203
7.5 - High
- September 26, 2019
In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. This can lead to disruption for users of the server.
Improper Input Validation
In Apache Subversion versions up to and including 1.9.10
CVE-2018-11782
6.5 - Medium
- September 26, 2019
In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server.
Improper Input Validation
Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.
CVE-2018-11803
7.5 - High
- February 05, 2019
Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.
Access of Uninitialized Pointer
The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled
CVE-2013-4558
- December 07, 2013
The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /.
Improper Input Validation
Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15
CVE-2010-4644
- January 07, 2011
Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 allow remote authenticated users to cause a denial of service (memory consumption and daemon crash) via the -g option to the blame command.
Resource Management Errors
The walk function in repos.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.15, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via vectors
CVE-2010-4539
- January 07, 2011
The walk function in repos.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.15, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger the walking of SVNParentPath collections.
Resource Management Errors
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Subversion or by Apache? Click the Watch button to subscribe.
