CVE-2014-3528 — Use of a Broken or Risky Cryptographic Algorithm in Apache Subversion

CWE-255 CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-201 — Sensitive Info Insertion into Sent Data10 documents10 sources

Severity

4.0MEDIUMNVD

EPSS

3.4%

top 12.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Subversion Apple Xcode Canonical Ubuntu Linux +6 more

Timeline

PublishedAug 19

Latest updateMay 14

Description

Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9

Affected Packages8 packages

▶Debianapache/subversion< 1.8.10-1+3

▶NVDapache/subversion89 versions+88

▶NVDapple/xcode6.1.1

▶NVDopensuse/opensuse12.3, 13.1+1

▶NVDredhat/enterprise_linux_server6.0, 7.0+1

Also affects: Ubuntu Linux 12.04, 14.04, Enterprise Linux 6.6.z

🔴Vulnerability Details

GHSA

GHSA-vxf6-xw9g-6cfc: Apache Subversion 1↗2022-05-14

▶

CVEList

CVE-2014-3528: Apache Subversion 1↗2014-08-19

▶

OSV

CVE-2014-3528: Apache Subversion 1↗2014-08-19

▶

📋Vendor Advisories

Ubuntu

Subversion vulnerabilities↗2014-08-14

▶

Debian

CVE-2014-3528: subversion - Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses...↗2014

▶

Red Hat

subversion: credentials leak via MD5 collision↗2013-12-13

▶

Apple

CVE-2014-3528: Xcode 6.2↗

▶

Apache

Apache subversion: CVE-2014-3528↗

▶

💬Community

Bugzilla

CVE-2014-3528 subversion: credentials leak via MD5 collision↗2014-08-01

▶