CVE-2020-17525

CWE-476NULL Pointer DereferenceCWE-416Use After Free11 documents9 sources
Severity
7.5HIGH
EPSS
11.8%
top 6.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Software Foundation Apache SubversionApache SubversionDebian Debian Linux
Timeline
PublishedMar 17
Latest updateMay 26

Description

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/subversion1.9.01.10.7+1
CVEListV5apache_software_foundation/apache_subversionmod_authz_svn1.14.1
Debiansubversion< 1.14.1-1+3

Also affects: Debian Linux 9.0

Patches

Patch: subversion.apache.orgPatch: subversion.apache.org

🔴Vulnerability Details

4
OSV
subversion vulnerabilities2022-05-26
GHSA
GHSA-w6m8-jhpf-wj94: Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a cl2022-05-24
CVEList
Remote unauthenticated denial-of-service in Subversion mod_authz_svn2021-03-17
OSV
CVE-2020-17525: Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a cl2021-03-17

📋Vendor Advisories

6
Ubuntu
Subversion vulnerabilities2022-05-26
Ubuntu
Subversion vulnerability2022-03-10
Microsoft
Remote unauthenticated denial-of-service in Subversion mod_authz_svn2021-03-09
Red Hat
subversion: Remote unauthenticated denial of service in mod_authz_svn2021-02-10
Debian
CVE-2020-17525: subversion - Subversion's mod_authz_svn module will crash if the server is using in-repositor...2020