CVE-2014-3528
First published: Tue Aug 19 2014(Updated: )
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SUSE Linux | =12.3 | |
| SUSE Linux | =13.1 | |
| Subversion | =1.0.0 | |
| Subversion | =1.0.1 | |
| Subversion | =1.0.2 | |
| Subversion | =1.0.3 | |
| Subversion | =1.0.4 | |
| Subversion | =1.0.5 | |
| Subversion | =1.0.6 | |
| Subversion | =1.0.7 | |
| Subversion | =1.0.8 | |
| Subversion | =1.0.9 | |
| Subversion | =1.1.0 | |
| Subversion | =1.1.1 | |
| Subversion | =1.1.2 | |
| Subversion | =1.1.3 | |
| Subversion | =1.1.4 | |
| Subversion | =1.2.0 | |
| Subversion | =1.2.1 | |
| Subversion | =1.2.2 | |
| Subversion | =1.2.3 | |
| Subversion | =1.3.0 | |
| Subversion | =1.3.1 | |
| Subversion | =1.3.2 | |
| Subversion | =1.4.0 | |
| Subversion | =1.4.1 | |
| Subversion | =1.4.2 | |
| Subversion | =1.4.3 | |
| Subversion | =1.4.4 | |
| Subversion | =1.4.5 | |
| Subversion | =1.4.6 | |
| Subversion | =1.5.0 | |
| Subversion | =1.5.1 | |
| Subversion | =1.5.2 | |
| Subversion | =1.5.3 | |
| Subversion | =1.5.4 | |
| Subversion | =1.5.5 | |
| Subversion | =1.5.6 | |
| Subversion | =1.5.7 | |
| Subversion | =1.5.8 | |
| Subversion | =1.6.0 | |
| Subversion | =1.6.1 | |
| Subversion | =1.6.2 | |
| Subversion | =1.6.3 | |
| Subversion | =1.6.4 | |
| Subversion | =1.6.5 | |
| Subversion | =1.6.6 | |
| Subversion | =1.6.7 | |
| Subversion | =1.6.8 | |
| Subversion | =1.6.9 | |
| Subversion | =1.6.10 | |
| Subversion | =1.6.11 | |
| Subversion | =1.6.12 | |
| Subversion | =1.6.13 | |
| Subversion | =1.6.14 | |
| Subversion | =1.6.15 | |
| Subversion | =1.6.16 | |
| Subversion | =1.6.17 | |
| Subversion | =1.6.18 | |
| Subversion | =1.6.19 | |
| Subversion | =1.6.20 | |
| Subversion | =1.6.21 | |
| Subversion | =1.6.23 | |
| Subversion | =1.7.0 | |
| Subversion | =1.7.1 | |
| Subversion | =1.7.2 | |
| Subversion | =1.7.3 | |
| Subversion | =1.7.4 | |
| Subversion | =1.7.5 | |
| Subversion | =1.7.6 | |
| Subversion | =1.7.7 | |
| Subversion | =1.7.8 | |
| Subversion | =1.7.9 | |
| Subversion | =1.7.10 | |
| Subversion | =1.7.11 | |
| Subversion | =1.7.12 | |
| Subversion | =1.7.13 | |
| Subversion | =1.7.14 | |
| Subversion | =1.7.15 | |
| Subversion | =1.7.16 | |
| Subversion | =1.7.17 | |
| Subversion | =1.8.0 | |
| Subversion | =1.8.1 | |
| Subversion | =1.8.2 | |
| Subversion | =1.8.3 | |
| Subversion | =1.8.4 | |
| Subversion | =1.8.5 | |
| Subversion | =1.8.6 | |
| Subversion | =1.8.7 | |
| Subversion | =1.8.8 | |
| Subversion | =1.8.9 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Apple Xcode | =6.1.1 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =6.0 | |
| Red Hat Enterprise Linux HPC Node | =7.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =6.6.z | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
- http://rhn.redhat.com/errata/RHSA-2015-0165.html
- http://rhn.redhat.com/errata/RHSA-2015-0166.html
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60722
- http://subversion.apache.org/security/CVE-2014-3528-advisory.txt
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/68995
- http://www.ubuntu.com/usn/USN-2316-1
- https://security.gentoo.org/glsa/201610-05
- https://support.apple.com/HT204427
Frequently Asked Questions
What is the severity of CVE-2014-3528?
CVE-2014-3528 is rated as important in severity due to the potential for credential disclosure.
How do I fix CVE-2014-3528?
To fix CVE-2014-3528, upgrade to Apache Subversion version 1.7.17 or later, or 1.8.10 or later.
What versions are affected by CVE-2014-3528?
CVE-2014-3528 affects all versions of Apache Subversion from 1.0.0 to below 1.7.17 and 1.8.x below 1.8.10.
Can CVE-2014-3528 lead to data breaches?
Yes, CVE-2014-3528 could potentially allow remote servers to obtain cached credentials, leading to data breaches.
Is there any workaround for CVE-2014-3528?
There is no official workaround for CVE-2014-3528; upgrading to the patched versions is the only solution.
- agent/type
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/opensuse
- canonical/suse linux
- version/suse linux/12.3
- version/suse linux/13.1
- vendor/apache
- canonical/subversion
- version/subversion/1.0.0
- version/subversion/1.0.1
- version/subversion/1.0.2
- version/subversion/1.0.3
- version/subversion/1.0.4
- version/subversion/1.0.5
- version/subversion/1.0.6
- version/subversion/1.0.7
- version/subversion/1.0.8
- version/subversion/1.0.9
- version/subversion/1.1.0
- version/subversion/1.1.1
- version/subversion/1.1.2
- version/subversion/1.1.3
- version/subversion/1.1.4
- version/subversion/1.2.0
- version/subversion/1.2.1
- version/subversion/1.2.2
- version/subversion/1.2.3
- version/subversion/1.3.0
- version/subversion/1.3.1
- version/subversion/1.3.2
- version/subversion/1.4.0
- version/subversion/1.4.1
- version/subversion/1.4.2
- version/subversion/1.4.3
- version/subversion/1.4.4
- version/subversion/1.4.5
- version/subversion/1.4.6
- version/subversion/1.5.0
- version/subversion/1.5.1
- version/subversion/1.5.2
- version/subversion/1.5.3
- version/subversion/1.5.4
- version/subversion/1.5.5
- version/subversion/1.5.6
- version/subversion/1.5.7
- version/subversion/1.5.8
- version/subversion/1.6.0
- version/subversion/1.6.1
- version/subversion/1.6.2
- version/subversion/1.6.3
- version/subversion/1.6.4
- version/subversion/1.6.5
- version/subversion/1.6.6
- version/subversion/1.6.7
- version/subversion/1.6.8
- version/subversion/1.6.9
- version/subversion/1.6.10
- version/subversion/1.6.11
- version/subversion/1.6.12
- version/subversion/1.6.13
- version/subversion/1.6.14
- version/subversion/1.6.15
- version/subversion/1.6.16
- version/subversion/1.6.17
- version/subversion/1.6.18
- version/subversion/1.6.19
- version/subversion/1.6.20
- version/subversion/1.6.21
- version/subversion/1.6.23
- version/subversion/1.7.0
- version/subversion/1.7.1
- version/subversion/1.7.2
- version/subversion/1.7.3
- version/subversion/1.7.4
- version/subversion/1.7.5
- version/subversion/1.7.6
- version/subversion/1.7.7
- version/subversion/1.7.8
- version/subversion/1.7.9
- version/subversion/1.7.10
- version/subversion/1.7.11
- version/subversion/1.7.12
- version/subversion/1.7.13
- version/subversion/1.7.14
- version/subversion/1.7.15
- version/subversion/1.7.16
- version/subversion/1.7.17
- version/subversion/1.8.0
- version/subversion/1.8.1
- version/subversion/1.8.2
- version/subversion/1.8.3
- version/subversion/1.8.4
- version/subversion/1.8.5
- version/subversion/1.8.6
- version/subversion/1.8.7
- version/subversion/1.8.8
- version/subversion/1.8.9
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- vendor/apple
- canonical/apple xcode
- version/apple xcode/6.1.1
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/6.0
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux hpc node
- version/red hat enterprise linux hpc node/6.0
- version/red hat enterprise linux hpc node/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/6.6.z
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/6.0
- version/red hat enterprise linux workstation/7.0