CVE-2021-28544

Summary

CVE	CVE-2021-28544
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-04-12 18:15:00 UTC
Updated	2023-02-11 17:44:00 UTC
Description	Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

Risk And Classification

Problem Types: CWE-200

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Subversion	All	All	All	All
Operating System	Apple	Macos	All	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All

References

Reference	Source	Link	Tags
subversion.apache.org/security/CVE-2021-28544-advisory.txt	MISC	subversion.apache.org
[SECURITY] Fedora 36 Update: subversion-1.14.2-5.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: subversion-1.14.2-5.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: subversion-1.14.2-5.fc35 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
Full Disclosure: APPLE-SA-2022-07-20-2 macOS Monterey 12.5	FULLDISC	seclists.org
[SECURITY] Fedora 36 Update: subversion-1.14.2-5.fc36 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
About the security content of macOS Monterey 12.5 - Apple Support	CONFIRM	support.apple.com
Debian -- Security Information -- DSA-5119-1 subversion	DEBIAN	www.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

179188 Debian Security Update for subversion (DSA 5119-1)
198739 Ubuntu Security Notification for Subversion Vulnerabilities (USN-5372-1)
198806 Ubuntu Security Notification for Subversion Vulnerabilities (USN-5450-1)
282940 Fedora Security Update for subversion (FEDORA-2022-2af658b090)
282941 Fedora Security Update for subversion (FEDORA-2022-13cc09ecf2)
354331 Amazon Linux Security Advisory for subversion : ALAS2022-2022-149
355203 Amazon Linux Security Advisory for subversion : ALAS2023-2023-011
376740 Apple macOS Monterey 12.5 Not Installed (HT213345)
501502 Alpine Linux Security Update for subversion
504446 Alpine Linux Security Update for subversion
671880 EulerOS Security Update for subversion (EulerOS-SA-2022-1952)
671913 EulerOS Security Update for subversion (EulerOS-SA-2022-2013)
671925 EulerOS Security Update for subversion (EulerOS-SA-2022-1983)
671970 EulerOS Security Update for subversion (EulerOS-SA-2022-2172)
671981 EulerOS Security Update for subversion (EulerOS-SA-2022-2147)
690842 Free Berkeley Software Distribution (FreeBSD) Security Update for subversion (3a1dc8c8-bb27-11ec-98d1-d43d7eed0ce2)
752024 SUSE Enterprise Linux Security Update for subversion (SUSE-SU-2022:1162-1)
752031 SUSE Enterprise Linux Security Update for subversion (SUSE-SU-2022:1161-1)
752097 SUSE Enterprise Linux Security Update for subversion (SUSE-SU-2022:1483-1)
900828 Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9393)
900956 Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9367)
901340 Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9393-1)
902333 Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9367-1)