#VU32571 Permissions, Privileges, and Access Controls in Subversion - CVE-2013-4505

Cybersecurity Help s.r.o.

Published: 2013-12-07 | Updated: 2020-07-28

Vulnerability identifier: #VU32571

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-4505

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Subversion
Server applications / Frameworks for developing and running applications

Vendor: Apache Foundation

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Subversion: 1.4.0 rc1 - 1.4.0, 1.7.13

External links
https://lists.opensuse.org/opensuse-updates/2013-12/msg00029.html
https://lists.opensuse.org/opensuse-updates/2013-12/msg00048.html
https://osvdb.org/100364
https://secunia.com/advisories/55855
https://subversion.apache.org/security/CVE-2013-4505-advisory.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Permissions, Privileges, and Access Controls in subversion (Alpine package)

Slackware Linux update for subversion

Amazon Linux AMI update for subversion

Permissions, Privileges, and Access Controls in Subversion