CVE-2013-4558: Input Validation
First published: Fri Nov 22 2013(Updated: )
A flaw was found in the way mod_dav_svn handled certain requests when SVNAutoversioning (in "/etc/httpd/conf.d/subversion.conf", for example) was enabled. If an attacker with commit access to a repository sent a request containing a crafted URL, it would cause the httpd process serving the request to crash. This issue affected Subversion versions 1.7.11 to 1.7.13, and 1.8.1 to 1.8.4. It has been corrected in versions 1.7.14 and 1.8.5. This issue does not affect the versions of Subversion in Red Hat Enterprise Linux 5 and 6. Acknowledgements: Red Hat would like to thank the Apache Subversion project for reporting this issue. Upstream acknowledges Philip Martin as the original reporter.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/subversion | <1.7.14 | 1.7.14 |
| redhat/subversion | <1.8.5 | 1.8.5 |
| Apache mod_dav_svn | ||
| Subversion | =1.7.11 | |
| Subversion | =1.7.12 | |
| Subversion | =1.7.13 | |
| Subversion | =1.8.1 | |
| Subversion | =1.8.2 | |
| Subversion | =1.8.3 | |
| Subversion | =1.8.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://subversion.apache.org/security/CVE-2013-4558-advisory.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1034377
- https://bugzilla.redhat.com/show_bug.cgi?id=1033431
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00029.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00048.html
- http://osvdb.org/100363
- https://github.com/apache/subversion/commit/2c77c43e4255555f3b79f761f0d141393a3856cc
- https://github.com/apache/subversion/commit/647e3f8365a74831bb915f63793b63e31fae062d
Frequently Asked Questions
What is the severity of CVE-2013-4558?
CVE-2013-4558 has a moderate severity rating due to its potential impact on server operations if exploited.
How do I fix CVE-2013-4558?
To fix CVE-2013-4558, upgrade subversion to version 1.7.14 or 1.8.5 or later.
Who is affected by CVE-2013-4558?
CVE-2013-4558 affects users of mod_dav_svn when autoversioning is enabled in Apache Subversion.
What are the symptoms of CVE-2013-4558 exploitation?
Exploitation of CVE-2013-4558 may lead to abnormal termination of the httpd process serving requests.
Is there a workaround for CVE-2013-4558?
Disabling SVNAutoversioning in the configuration may serve as a temporary workaround for CVE-2013-4558.
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/references
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4558
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- package-manager/redhat
- vendor/apache
- canonical/apache mod_dav_svn
- canonical/subversion
- version/subversion/1.7.11
- version/subversion/1.7.12
- version/subversion/1.7.13
- version/subversion/1.8.1
- version/subversion/1.8.2
- version/subversion/1.8.3
- version/subversion/1.8.4