Vulnerability in Apache Subversion

CVE-2015-0251

The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences.

EPSS: 0.011 (78.1th percentile) — read the EPSS interpretation.

Affected products

Apache Subversion — versions 1.5.0, 1.5.1, 1.5.2
Apple Xcode — versions 7.0
Oracle Solaris — versions 11.3
Opensuse — versions 13.1, 13.2
Redhat Enterprise_linux_desktop — versions 6.0
Redhat Enterprise_linux_hpc_node — versions 6.0
Redhat Enterprise_linux_server — versions 6.0
Redhat Enterprise_linux_server_eus — versions 6.7.z
Redhat Enterprise_linux_workstation — versions 6.0
N/a — versions n/a

Weakness classification (CWE)

CWE-345 — Insufficient Verification of Data Authenticity

References

RHSA-2015:1742 (x_refsource_REDHAT, vendor-advisory)
DSA-3231 (vendor-advisory, x_refsource_DEBIAN)
RHSA-2015:1633 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
20150611 Apache vulnerability program faulting module ntdll.dll (mailing-list, x_refsource_FULLDISC)
74259 (vdb-entry, x_refsource_BID)
1033214 (vdb-entry, x_refsource_SECTRACK)
secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
MDVSA-2015:192 (vendor-advisory, x_refsource_MANDRIVA, Broken Link)
APPLE-SA-2015-09-16-2 (vendor-advisory, x_refsource_APPLE, Mailing List)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)