CVE-2024-45720

On Windows platforms, a "best fit" character encoding conversion of command line arguments to Subversion's executables (e.g., svn.exe, etc.) may lead to unexpected command line argument interpretation, including argument injection and execution of other programs, if a specially crafted command line argument string is processed.

All versions of Subversion up to and including Subversion 1.14.3 are affected on Windows platforms only. Users are recommended to upgrade to version Subversion 1.14.4, which fixes this issue.

Subversion is not affected on UNIX-like platforms.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.2 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
apacheCNA
8.2 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
VendorProductVersion
apachesubversion
1.14.3 ≤
𝑥
≤ 1.14.3
apachesubversion
𝑥
< 1.14.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
subversion
bullseye
1.14.1-3+deb11u1
fixed
bullseye (security)
1.14.1-3+deb11u2
fixed
bookworm
1.14.2-4+deb12u1
fixed
sid
1.14.5-3
fixed
trixie
1.14.5-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
subversion
noble
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://subversion.apache.org/security/CVE-2024-45720-advisory.txt
http://www.openwall.com/lists/oss-security/2024/10/08/3