CVE-2022-24070
Summary
| CVE | CVE-2022-24070 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-04-12 18:15:00 UTC |
| Updated | 2023-11-07 03:44:00 UTC |
| Description | Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected. |
Risk And Classification
Problem Types: CWE-416
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Subversion | All | All | All | All |
| Operating System | Apple | Macos | All | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| ModuleLife - HTTPD - Apache Software Foundation | MISC | cwiki.apache.org | |
| [SECURITY] Fedora 36 Update: subversion-1.14.2-5.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 36 Update: subversion-1.14.2-5.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 35 Update: subversion-1.14.2-5.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SVN-4880] Use-after-free of object-pools in subversion/libsvn_repos/authz.c when used as httpd module - ASF JIRA | MISC | issues.apache.org | |
| [SECURITY] Fedora 35 Update: subversion-1.14.2-5.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Full Disclosure: APPLE-SA-2022-07-20-2 macOS Monterey 12.5 | FULLDISC | seclists.org | |
| 65861 – [PATCH] Document how the post_config hook is called | MISC | bz.apache.org | |
| About the security content of macOS Monterey 12.5 - Apple Support | CONFIRM | support.apple.com | |
| Debian -- Security Information -- DSA-5119-1 subversion | DEBIAN | www.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Apache Subversion would like to thank Thomas Weißschuh, cis-solutions.eu.
Legacy QID Mappings
- 159841 Oracle Enterprise Linux Security Update for subversion:1.10 (ELSA-2022-2234)
- 159888 Oracle Enterprise Linux Security Update for subversion:1.14 (ELSA-2022-4941)
- 159941 Oracle Enterprise Linux Security Update for subversion (ELSA-2022-4591)
- 179188 Debian Security Update for subversion (DSA 5119-1)
- 182267 Debian Security Update for subversion (CVE-2022-24070)
- 198739 Ubuntu Security Notification for Subversion Vulnerabilities (USN-5372-1)
- 198806 Ubuntu Security Notification for Subversion Vulnerabilities (USN-5450-1)
- 240330 Red Hat Update for subversion:1.10 (RHSA-2022:2222)
- 240337 Red Hat Update for subversion:1.10 (RHSA-2022:2236)
- 240338 Red Hat Update for subversion:1.10 (RHSA-2022:2234)
- 240345 Red Hat Update for subversion (RHSA-2022:4591)
- 240359 Red Hat Update for subversion:1.14 (RHSA-2022:4722)
- 240449 Red Hat Update for subversion:1.10 (RHSA-2022:2237)
- 240456 Red Hat Update for subversion:1.14 (RHSA-2022:4941)
- 282940 Fedora Security Update for subversion (FEDORA-2022-2af658b090)
- 282941 Fedora Security Update for subversion (FEDORA-2022-13cc09ecf2)
- 296086 Oracle Solaris 11.4 Support Repository Update (SRU) 51.132.1 Missing (CPUOCT2022)
- 354269 Amazon Linux Security Advisory for subversion : ALAS2022-2022-076
- 354331 Amazon Linux Security Advisory for subversion : ALAS2022-2022-149
- 355203 Amazon Linux Security Advisory for subversion : ALAS2023-2023-011
- 376740 Apple macOS Monterey 12.5 Not Installed (HT213345)
- 377625 Alibaba Cloud Linux Security Update for subversion:1.14 (ALINUX3-SA-2022:0163)
- 501502 Alpine Linux Security Update for subversion
- 504446 Alpine Linux Security Update for subversion
- 671880 EulerOS Security Update for subversion (EulerOS-SA-2022-1952)
- 671913 EulerOS Security Update for subversion (EulerOS-SA-2022-2013)
- 671925 EulerOS Security Update for subversion (EulerOS-SA-2022-1983)
- 671970 EulerOS Security Update for subversion (EulerOS-SA-2022-2172)
- 671981 EulerOS Security Update for subversion (EulerOS-SA-2022-2147)
- 690842 Free Berkeley Software Distribution (FreeBSD) Security Update for subversion (3a1dc8c8-bb27-11ec-98d1-d43d7eed0ce2)
- 752024 SUSE Enterprise Linux Security Update for subversion (SUSE-SU-2022:1162-1)
- 752031 SUSE Enterprise Linux Security Update for subversion (SUSE-SU-2022:1161-1)
- 752097 SUSE Enterprise Linux Security Update for subversion (SUSE-SU-2022:1483-1)
- 900818 Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9394)
- 901137 Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9368)
- 901320 Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9394-1)
- 902337 Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9368-1)
- 940575 AlmaLinux Security Update for subversion:1.10 (ALSA-2022:2234)
- 960297 Rocky Linux Security Update for subversion:1.10 (RLSA-2022:2234)
- 960332 Rocky Linux Security Update for subversion:1.14 (RLSA-2022:4941)
- 960623 Rocky Linux Security Update for subversion (RLSA-2022:4591)