CVE-2022-24070

Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
Affected Products (NVD)
VendorProductVersion
apachesubversion
1.10.0 ≤
𝑥
< 1.10.8
apachesubversion
1.14.0 ≤
𝑥
< 1.14.2
debiandebian_linux
10.0
debiandebian_linux
11.0
applemacos
12.0 ≤
𝑥
< 12.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
subversion
bookworm
1.14.2-4
fixed
bullseye
1.14.1-3+deb11u1
fixed
bullseye (security)
1.14.1-3+deb11u1
fixed
sid
1.14.4-2
fixed
stretch
not-affected
trixie
1.14.4-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
subversion
bionic
not-affected
focal
Fixed 1.13.0-3ubuntu0.1
released
impish
Fixed 1.14.1-3ubuntu0.1
released
jammy
Fixed 1.14.1-3ubuntu0.22.04.1
released
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
subversion
suse enterprise desktop 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise desktop 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise sap 15
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise sap 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise server 15
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise server 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP7
1.14.1-150400.5.3.1
fixed
subversion-bash-completion
suse enterprise desktop 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise desktop 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise sap 15
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise sap 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise server 15
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise server 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP7
1.14.1-150400.5.3.1
fixed
subversion-devel
suse enterprise desktop 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise desktop 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise sap 15
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise sap 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise server 15
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise server 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP7
1.14.1-150400.5.3.1
fixed
subversion-perl
suse enterprise desktop 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise desktop 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise sap 15
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise sap 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise server 15
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise server 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP7
1.14.1-150400.5.3.1
fixed
subversion-python
suse enterprise desktop 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise desktop 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise sap 15
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise sap 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise server 15
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise server 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP7
1.14.1-150400.5.3.1
fixed
subversion-server
suse enterprise sap 15
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise server 15
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP2
1.10.6-150000.3.21.1
fixed
subversion-tools
suse enterprise desktop 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise desktop 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise desktop 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise sap 15
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise sap 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise sap 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise sap 15 SP7
1.14.1-150400.5.3.1
fixed
suse enterprise server 15
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP1
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP2
1.10.6-150000.3.21.1
fixed
suse enterprise server 15 SP3
1.10.6-150300.10.8.1
fixed
suse enterprise server 15 SP4
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP5
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP6
1.14.1-150400.3.8
fixed
suse enterprise server 15 SP7
1.14.1-150400.5.3.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
mod
RHEL 9
0:1.14.1-5.el9_0
fixed
python3-subversion
RHEL 9
0:1.14.1-5.el9_0
fixed
subversion
RHEL 9
0:1.14.1-5.el9_0
fixed
subversion-devel
RHEL 9
0:1.14.1-5.el9_0
fixed
subversion-gnome
RHEL 9
0:1.14.1-5.el9_0
fixed
subversion-libs
RHEL 9
0:1.14.1-5.el9_0
fixed
subversion-perl
RHEL 9
0:1.14.1-5.el9_0
fixed
subversion-tools
RHEL 9
0:1.14.1-5.el9_0
fixed
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2022/Jul/18
https://bz.apache.org/bugzilla/show_bug.cgi?id=65861
https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife
https://issues.apache.org/jira/browse/SVN-4880
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/
https://support.apple.com/kb/HT213345
https://www.debian.org/security/2022/dsa-5119
http://seclists.org/fulldisclosure/2022/Jul/18
https://bz.apache.org/bugzilla/show_bug.cgi?id=65861
https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife
https://issues.apache.org/jira/browse/SVN-4880
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/
https://support.apple.com/kb/HT213345
https://www.debian.org/security/2022/dsa-5119