#VU32680 Buffer overflow in Subversion - CVE-2013-1845

Cybersecurity Help s.r.o.

Published: 2013-05-02 | Updated: 2020-07-28

Vulnerability identifier: #VU32680

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-1845

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Subversion
Server applications / Frameworks for developing and running applications

Vendor: Apache Foundation

Description

The vulnerability allows a remote #AU# to perform service disruption.

The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. Per http://lists.opensuse.org/opensuse-updates/2013-04/msg00095.html "Affected Products: openSUSE 12.3 openSUSE 12.2 openSUSE 12.1"

Mitigation
Install update from vendor's website.

Vulnerable software versions

Subversion: 1.6.0 rc1 - 1.6.20

External links
https://lists.opensuse.org/opensuse-updates/2013-04/msg00095.html
https://lists.opensuse.org/opensuse-updates/2013-06/msg00069.html
https://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvRoyVrZV12tgC0FMGrc6%2BMisd3qTcZ%2BDdpFGgTahkgAkQ%40mail.gmail.com%3E
https://mail-archives.apache.org/mod_mbox/subversion-announce/201304.mbox/%3CCADkdwvSTMLbn4q_KM3Ph2UOeSiPGhEK4%3DSvwEjaHW_GUGkYWPQ%40mail.gmail.com%3E
https://rhn.redhat.com/errata/RHSA-2013-0737.html
https://subversion.apache.org/security/CVE-2013-1845-advisory.txt
https://www.mandriva.com/security/advisories?name=MDVSA-2013:153
https://www.ubuntu.com/usn/USN-1893-1
https://bugzilla.redhat.com/show_bug.cgi?id=929082
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18973

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Buffer overflow in subversion (Alpine package)

Buffer overflow in Subversion

Amazon Linux AMI update for subversion