CVE-2021-28544: Apache Subversion SVN authz protected copyfrom paths regression
First published: Tue Apr 12 2022(Updated: )
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.
Credit: Evgeny Kotkov visualsvn.com Evgeny Kotkov visualsvn.com Evgeny Kotkov visualsvn.com Evgeny Kotkov visualsvn.com security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Subversion | >=1.10.0<=1.14.1 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Apple macOS | >=12.0<12.5 | |
| <12.5 | 12.5 | |
| debian/subversion | 1.10.4-1+deb10u3 1.14.1-3+deb11u1 1.14.2-4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT213345 (Advisory)
- http://seclists.org/fulldisclosure/2022/Jul/18
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/
- https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
- https://support.apple.com/kb/HT213345
- https://www.debian.org/security/2022/dsa-5119
- https://security-tracker.debian.org/tracker/CVE-2021-28544
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2022-42858
- CVE-2022-32832
- CVE-2022-32788
- CVE-2022-32880
- CVE-2022-32826
- CVE-2022-42805
- CVE-2022-32948
- CVE-2022-32810
- CVE-2022-32840
- CVE-2022-32845
- CVE-2022-48578
- CVE-2022-32797
- CVE-2022-32851
- CVE-2022-32852
- CVE-2022-32853
- CVE-2022-32831
- CVE-2022-32910
- CVE-2022-32820
- CVE-2022-32825
- CVE-2022-32789
- CVE-2022-32805
- CVE-2022-32828
- CVE-2022-32839
- CVE-2022-32819
- CVE-2022-32793
- CVE-2022-32821
- CVE-2022-32849
- CVE-2022-32787
- CVE-2022-32897
- CVE-2022-32802
- CVE-2022-32841
- CVE-2022-32785
- CVE-2022-32811
- CVE-2022-32812
- CVE-2022-48503
- CVE-2022-32813
- CVE-2022-32815
- CVE-2022-32817
- CVE-2022-32829
- CVE-2022-26981
- CVE-2022-32823
- CVE-2022-32814
- CVE-2022-32786
- CVE-2022-32800
- CVE-2022-32838
- CVE-2022-32843
- CVE-2022-46708
- CVE-2022-32796
- CVE-2022-32842
- CVE-2022-32798
- CVE-2022-32799
- CVE-2022-32818
- CVE-2022-32857
- CVE-2022-32807
- CVE-2022-32801
- CVE-2021-28544
- CVE-2022-24070
- CVE-2022-29046
- CVE-2022-29048
- CVE-2022-32834
- CVE-2022-32933
- CVE-2022-32885
- CVE-2022-32861
- CVE-2022-32863
- CVE-2022-32816
- CVE-2022-32792
- CVE-2022-2294
- CVE-2022-32860
- CVE-2022-32837
- CVE-2022-32847
- CVE-2022-32848
Frequently Asked Questions
What is CVE-2021-28544?
CVE-2021-28544 refers to multiple issues in subversion that have been addressed through an update.
How can CVE-2021-28544 affect me?
If you are using subversion on macOS Monterey version 12.5 or earlier, you may be affected by CVE-2021-28544.
How do I mitigate the impact of CVE-2021-28544?
To mitigate the impact of CVE-2021-28544, update your subversion software to the latest version available.
Where can I find more information about CVE-2021-28544?
You can find more information about CVE-2021-28544 in the Apple security advisory at the following link: https://support.apple.com/en-us/HT213345
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/severity
- agent/weakness
- agent/remedy
- agent/author
- agent/references
- agent/description
- collector/apple-support
- source/Apple
- alias/CVE-2022-24070
- alias/CVE-2022-29046
- alias/CVE-2022-29048
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/tags
- agent/trending
- package-manager/debian
- vendor/apache
- canonical/apache subversion
- version/apache subversion/1.10.0
- version/apache subversion/1.14.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- vendor/apple
- canonical/apple macos
- version/apple macos/12.0
- canonical/apple macos monterey