Bug 2074780 (CVE-2021-28544) - CVE-2021-28544 subversion: SVN authz protected copyfrom paths regression
Summary: CVE-2021-28544 subversion: SVN authz protected copyfrom paths regression
Keywords:
Status: NEW
Alias: CVE-2021-28544
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2074781 2076650 2076651 2076652
Blocks: 2074782
TreeView+ depends on / blocked
 
Reported: 2022-04-13 04:54 UTC by Avinash Hanwate
Modified: 2024-02-01 01:40 UTC (History)
2 users (show)

Fixed In Version: subversion 1.14.2, subversion 1.10.8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Subversion. When using path-based authorization (authz), the helper function detect_changed() does not omit potentially sensitive information from log messages. In particular, if a node is copied from a protected location, its 'copyfrom' path (the path to the protected location) is reported even when omission should occur.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2022-04-13 04:54:36 UTC 
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
Comment 1 Avinash Hanwate 2022-04-13 04:54:56 UTC 
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 2074781]
Comment 2 Mauro Matteo Cascella 2022-04-19 14:39:09 UTC 
Upstream fix:
https://svn.apache.org/viewvc?view=revision&revision=1899227
Note You need to log in before you can comment on or make changes to this bug.