ID CVE-2010-3315
Summary authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not properly handle a named repository as a rule scope, which allows remote authenticated users to bypass intended access restrictions via svn commands.
References
Vulnerable Configurations
  • Apache Software Foundation Subversion 1.6.12
    cpe:2.3:a:apache:subversion:1.6.12
  • Apache Software Foundation Subversion 1.6.11
    cpe:2.3:a:apache:subversion:1.6.11
  • Apache Software Foundation Subversion 1.6.10
    cpe:2.3:a:apache:subversion:1.6.10
  • Apache Software Foundation Subversion 1.6.9
    cpe:2.3:a:apache:subversion:1.6.9
  • Apache Software Foundation Subversion 1.6.8
    cpe:2.3:a:apache:subversion:1.6.8
  • Apache Software Foundation Subversion 1.6.7
    cpe:2.3:a:apache:subversion:1.6.7
  • Apache Software Foundation Subversion 1.6.6
    cpe:2.3:a:apache:subversion:1.6.6
  • Apache Software Foundation Subversion 1.6.5
    cpe:2.3:a:apache:subversion:1.6.5
  • Apache Software Foundation Subversion 1.6.4
    cpe:2.3:a:apache:subversion:1.6.4
  • Apache Software Foundation Subversion 1.6.3
    cpe:2.3:a:apache:subversion:1.6.3
  • Apache Software Foundation Subversion 1.6.2
    cpe:2.3:a:apache:subversion:1.6.2
  • Apache Software Foundation Subversion 1.6.1
    cpe:2.3:a:apache:subversion:1.6.1
  • Apache Software Foundation Subversion 1.6.0
    cpe:2.3:a:apache:subversion:1.6.0
  • Apache Software Foundation Subversion 1.5.7
    cpe:2.3:a:apache:subversion:1.5.7
  • Apache Software Foundation Subversion 1.5.6
    cpe:2.3:a:apache:subversion:1.5.6
  • Apache Software Foundation Subversion 1.5.5
    cpe:2.3:a:apache:subversion:1.5.5
  • Apache Software Foundation Subversion 1.5.4
    cpe:2.3:a:apache:subversion:1.5.4
  • Apache Software Foundation Subversion 1.5.3
    cpe:2.3:a:apache:subversion:1.5.3
  • Apache Software Foundation Subversion 1.5.2
    cpe:2.3:a:apache:subversion:1.5.2
  • Apache Software Foundation Subversion 1.5.1
    cpe:2.3:a:apache:subversion:1.5.1
  • Apache Software Foundation Subversion 1.5.0
    cpe:2.3:a:apache:subversion:1.5.0
CVSS
Base: 6.0 (as of 05-10-2010 - 09:50)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_LIBSVN_AUTH_GNOME_KEYRING-1-0-101029.NASL
    description when using 'SVNPathAuthz short_circuit' mod_dav_svn didn't properly enforce access restrictions (CVE-2010-3315).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75615
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75615
    title openSUSE Security Update : libsvn_auth_gnome_keyring-1-0 (openSUSE-SU-2010:1042-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_6_7.NASL
    description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.7. Mac OS X 10.6.7 contains security fixes for the following products : - AirPort - Apache - AppleScript - ATS - bzip2 - CarbonCore - ClamAV - CoreText - File Quarantine - HFS - ImageIO - Image RAW - Installer - Kerberos - Kernel - Libinfo - libxml - Mailman - PHP - QuickLook - QuickTime - Ruby - Samba - Subversion - Terminal - X11
    last seen 2019-02-21
    modified 2018-08-22
    plugin id 52754
    published 2011-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=52754
    title Mac OS X 10.6.x < 10.6.7 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-16148.NASL
    description This update includes the latest stable release of Subversion, version 1.6.13. Subversion servers up to 1.6.12 (inclusive) making use of the 'SVNPathAuthz short_circuit' mod_dav_svn configuration setting have a bug which may allow users to write and/or read portions of the repository to which they are not intended to have access. This issue is fixed in this update. See http://subversion.apache.org/security/CVE-2010-3315-advisory.txt for further details A number of bug fixes are also included : - don't drop properties during foreign-repo merges - improve auto-props failure error message - improve error message for 403 status with ra_neon - don't allow 'merge --reintegrate' for 2-url merges - improve handling of missing fsfs.conf during hotcopy - escape unsafe characters in a URL during export - don't leak stale locks in FSFS - better detect broken working copies during update over ra_neon - fsfs: make rev files read-only - properly canonicalize a URL - fix wc corruption with 'commit --depth=empty' - permissions fixes when doing reintegrate merges - fix mergeinfo miscalculation during 2-url merges - fix error transmission problems in svnserve - fixed: record-only merges create self-referential mergeinfo - make 'svnmucc propset' handle existing and non-existing URLs - add new 'propsetf' subcommand to svnmucc - emit a warning about copied dirs during ci with limited depth Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50396
    published 2010-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50396
    title Fedora 14 : subversion-1.6.13-1.fc14 (2010-16148)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1053-1.NASL
    description It was discovered that Subversion incorrectly handled certain 'partial access' privileges in rare scenarios. Remote authenticated users could use this flaw to obtain sensitive information (revision properties). This issue only applied to Ubuntu 6.06 LTS. (CVE-2007-2448) It was discovered that the Subversion mod_dav_svn module for Apache did not properly handle a named repository as a rule scope. Remote authenticated users could use this flaw to bypass intended restrictions. This issue only applied to Ubuntu 9.10, 10.04 LTS, and 10.10. (CVE-2010-3315) It was discovered that the Subversion mod_dav_svn module for Apache incorrectly handled the walk function. Remote authenticated users could use this flaw to cause the service to crash, leading to a denial of service. (CVE-2010-4539) It was discovered that Subversion incorrectly handled certain memory operations. Remote authenticated users could use this flaw to consume large quantities of memory and cause the service to crash, leading to a denial of service. This issue only applied to Ubuntu 9.10, 10.04 LTS, and 10.10. (CVE-2010-4644). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 51846
    published 2011-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51846
    title Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : subversion vulnerabilities (USN-1053-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_LIBSVN_AUTH_GNOME_KEYRING-1-0-101028.NASL
    description when using 'SVNPathAuthz short_circuit' mod_dav_svn didn't properly enforce access restrictions (CVE-2010-3315).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53679
    published 2011-05-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53679
    title openSUSE Security Update : libsvn_auth_gnome_keyring-1-0 (openSUSE-SU-2010:1042-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-16136.NASL
    description This update includes the latest stable release of Subversion, version 1.6.13. Subversion servers up to 1.6.12 (inclusive) making use of the 'SVNPathAuthz short_circuit' mod_dav_svn configuration setting have a bug which may allow users to write and/or read portions of the repository to which they are not intended to have access. This issue is fixed in this update. See http://subversion.apache.org/security/CVE-2010-3315-advisory.txt for further details A number of bug fixes are also included : - don't drop properties during foreign-repo merges - improve auto-props failure error message - improve error message for 403 status with ra_neon - don't allow 'merge --reintegrate' for 2-url merges - improve handling of missing fsfs.conf during hotcopy - escape unsafe characters in a URL during export - don't leak stale locks in FSFS - better detect broken working copies during update over ra_neon - fsfs: make rev files read-only - properly canonicalize a URL - fix wc corruption with 'commit --depth=empty' - permissions fixes when doing reintegrate merges - fix mergeinfo miscalculation during 2-url merges - fix error transmission problems in svnserve - fixed: record-only merges create self-referential mergeinfo - make 'svnmucc propset' handle existing and non-existing URLs - add new 'propsetf' subcommand to svnmucc - emit a warning about copied dirs during ci with limited depth Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 50395
    published 2010-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50395
    title Fedora 13 : subversion-1.6.13-1.fc13 (2010-16136)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_LIBSVN_AUTH_GNOME_KEYRING-1-0-101029.NASL
    description when using 'SVNPathAuthz short_circuit' mod_dav_svn didn't properly enforce access restrictions (CVE-2010-3315).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53758
    published 2011-05-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53758
    title openSUSE Security Update : libsvn_auth_gnome_keyring-1-0 (openSUSE-SU-2010:1042-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-199.NASL
    description A vulnerability was discovered and corrected in subversion : authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not properly handle a named repository as a rule scope, which allows remote authenticated users to bypass intended access restrictions via svn commands (CVE-2010-3315). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 49967
    published 2010-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49967
    title Mandriva Linux Security Advisory : subversion (MDVSA-2010:199)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-16115.NASL
    description This update includes the latest stable release of Subversion, version 1.6.13. Subversion servers up to 1.6.12 (inclusive) making use of the 'SVNPathAuthz short_circuit' mod_dav_svn configuration setting have a bug which may allow users to write and/or read portions of the repository to which they are not intended to have access. This issue is fixed in this update. See http://subversion.apache.org/security/CVE-2010-3315-advisory.txt for further details A number of bug fixes are also included : - don't drop properties during foreign-repo merges - improve auto-props failure error message - improve error message for 403 status with ra_neon - don't allow 'merge --reintegrate' for 2-url merges - improve handling of missing fsfs.conf during hotcopy - escape unsafe characters in a URL during export - don't leak stale locks in FSFS - better detect broken working copies during update over ra_neon - fsfs: make rev files read-only - properly canonicalize a URL - fix wc corruption with 'commit --depth=empty' - permissions fixes when doing reintegrate merges - fix mergeinfo miscalculation during 2-url merges - fix error transmission problems in svnserve - fixed: record-only merges create self-referential mergeinfo - make 'svnmucc propset' handle existing and non-existing URLs - add new 'propsetf' subcommand to svnmucc - emit a warning about copied dirs during ci with limited depth Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 50394
    published 2010-10-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50394
    title Fedora 12 : subversion-1.6.13-1.fc12.1 (2010-16115)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2118.NASL
    description Kamesh Jayachandran and C. Michael Pilat discovered that the mod_dav_svn module of Subversion, a version control system, is not properly enforcing access rules which are scope-limited to named repositories. If the SVNPathAuthz option is set to 'short_circuit' set this may enable an unprivileged attacker to bypass intended access restrictions and disclose or modify repository content.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 49815
    published 2010-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=49815
    title Debian DSA-2118-1 : subversion - logic flaw
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110215_SUBVERSION_ON_SL6_X.NASL
    description An access restriction bypass flaw was found in the mod_dav_svn module. If the SVNPathAuthz directive was set to 'short_circuit', certain access rules were not enforced, possibly allowing sensitive repository data to be leaked to remote users. Note that SVNPathAuthz is set to 'On' by default. (CVE-2010-3315) A server-side memory leak was found in the Subversion server. If a malicious, remote user performed 'svn blame' or 'svn log' operations on certain repository files, it could cause the Subversion server to consume a large amount of system memory. (CVE-2010-4644) A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed certain requests. If a malicious, remote user issued a certain type of request to display a collection of Subversion repositories on a host that has the SVNListParentPath directive enabled, it could cause the httpd process serving the request to crash. Note that SVNListParentPath is not enabled by default. (CVE-2010-4539) After installing the updated packages, the Subversion server must be restarted for the update to take effect: restart httpd if you are using mod_dav_svn, or restart svnserve if it is used.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 60955
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60955
    title Scientific Linux Security Update : subversion on SL6.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-0258.NASL
    description From Red Hat Security Advisory 2011:0258 : Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. An access restriction bypass flaw was found in the mod_dav_svn module. If the SVNPathAuthz directive was set to 'short_circuit', certain access rules were not enforced, possibly allowing sensitive repository data to be leaked to remote users. Note that SVNPathAuthz is set to 'On' by default. (CVE-2010-3315) A server-side memory leak was found in the Subversion server. If a malicious, remote user performed 'svn blame' or 'svn log' operations on certain repository files, it could cause the Subversion server to consume a large amount of system memory. (CVE-2010-4644) A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed certain requests. If a malicious, remote user issued a certain type of request to display a collection of Subversion repositories on a host that has the SVNListParentPath directive enabled, it could cause the httpd process serving the request to crash. Note that SVNListParentPath is not enabled by default. (CVE-2010-4539) All Subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the Subversion server must be restarted for the update to take effect: restart httpd if you are using mod_dav_svn, or restart svnserve if it is used.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68200
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68200
    title Oracle Linux 6 : subversion (ELSA-2011-0258)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0258.NASL
    description Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Subversion (SVN) is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. An access restriction bypass flaw was found in the mod_dav_svn module. If the SVNPathAuthz directive was set to 'short_circuit', certain access rules were not enforced, possibly allowing sensitive repository data to be leaked to remote users. Note that SVNPathAuthz is set to 'On' by default. (CVE-2010-3315) A server-side memory leak was found in the Subversion server. If a malicious, remote user performed 'svn blame' or 'svn log' operations on certain repository files, it could cause the Subversion server to consume a large amount of system memory. (CVE-2010-4644) A NULL pointer dereference flaw was found in the way the mod_dav_svn module processed certain requests. If a malicious, remote user issued a certain type of request to display a collection of Subversion repositories on a host that has the SVNListParentPath directive enabled, it could cause the httpd process serving the request to crash. Note that SVNListParentPath is not enabled by default. (CVE-2010-4539) All Subversion users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the Subversion server must be restarted for the update to take effect: restart httpd if you are using mod_dav_svn, or restart svnserve if it is used.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 51995
    published 2011-02-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51995
    title RHEL 6 : subversion (RHSA-2011:0258)
oval via4
accepted 2015-05-04T04:00:13.707-04:00
class vulnerability
contributors
  • name Sergey Artykhov
    organization ALTX-SOFT
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
comment VisualSVN Server is installed
oval oval:org.mitre.oval:def:18636
description authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not properly handle a named repository as a rule scope, which allows remote authenticated users to bypass intended access restrictions via svn commands.
family windows
id oval:org.mitre.oval:def:19007
status accepted
submitted 2013-10-02T13:00:00
title Apache Subversion vulnerability 1.5.x before 1.5.8 and 1.6.x before 1.6.13 in VisualSVN Server (CVE-2010-3315)
version 8
redhat via4
advisories
rhsa
id RHSA-2011:0258
rpms
  • mod_dav_svn-0:1.6.11-2.el6_0.2
  • subversion-0:1.6.11-2.el6_0.2
  • subversion-devel-0:1.6.11-2.el6_0.2
  • subversion-gnome-0:1.6.11-2.el6_0.2
  • subversion-javahl-0:1.6.11-2.el6_0.2
  • subversion-kde-0:1.6.11-2.el6_0.2
  • subversion-perl-0:1.6.11-2.el6_0.2
  • subversion-ruby-0:1.6.11-2.el6_0.2
  • subversion-svn2cl-0:1.6.11-2.el6_0.2
refmap via4
apple APPLE-SA-2011-03-21-1
confirm
debian DSA-2118
mandriva MDVSA-2010:199
secunia
  • 41652
  • 43139
  • 43346
suse SUSE-SR:2010:024
ubuntu USN-1053-1
vupen ADV-2011-0264
Last major update 02-11-2013 - 23:02
Published 04-10-2010 - 17:00
Last modified 18-09-2017 - 21:31