CVE-2020-17525

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
VendorProductVersion
apachesubversion
1.9.0 ≤
𝑥
< 1.10.7
apachesubversion
1.11.0 ≤
𝑥
< 1.14.1
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
subversion
bullseye (security)
1.14.1-3+deb11u1
fixed
bullseye
1.14.1-3+deb11u1
fixed
bookworm
1.14.2-4
fixed
sid
1.14.4-2
fixed
trixie
1.14.4-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
subversion
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
ignored
focal
Fixed 1.13.0-3ubuntu0.2
released
bionic
Fixed 1.9.7-4ubuntu1.1
released
xenial
Fixed 1.9.3-2ubuntu1.3+esm1
released
trusty
dne
Common Weakness Enumeration
References
https://lists.debian.org/debian-lts-announce/2021/05/msg00000.html
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
https://lists.debian.org/debian-lts-announce/2021/05/msg00000.html
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt