{"api_version":"1","generated_at":"2026-04-23T01:19:07+00:00","cve":"CVE-2021-28544","urls":{"html":"https://cve.report/CVE-2021-28544","api":"https://cve.report/api/cve/CVE-2021-28544.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28544","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28544"},"summary":{"title":"CVE-2021-28544","description":"Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2022-04-12 18:15:00","updated_at":"2023-02-11 17:44:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"https://subversion.apache.org/security/CVE-2021-28544-advisory.txt","name":"https://subversion.apache.org/security/CVE-2021-28544-advisory.txt","refsource":"MISC","tags":[],"title":"","mime":"text/x-diff","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/","name":"FEDORA-2022-2af658b090","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: subversion-1.14.2-5.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/","name":"FEDORA-2022-13cc09ecf2","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: subversion-1.14.2-5.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 35 Update: subversion-1.14.2-5.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/fulldisclosure/2022/Jul/18","name":"20220721 APPLE-SA-2022-07-20-2 macOS Monterey 12.5","refsource":"FULLDISC","tags":[],"title":"Full Disclosure: APPLE-SA-2022-07-20-2 macOS Monterey 12.5","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 36 Update: subversion-1.14.2-5.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/kb/HT213345","name":"https://support.apple.com/kb/HT213345","refsource":"CONFIRM","tags":[],"title":"About the security content of macOS Monterey 12.5 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2022/dsa-5119","name":"DSA-5119","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5119-1 subversion","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28544","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28544","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"28544","vulnerable":"1","versionEndIncluding":"1.14.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"subversion","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28544","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"macos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28544","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28544","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28544","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28544","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-28544","qid":"179188","title":"Debian Security Update for subversion (DSA 5119-1)"},{"cve":"CVE-2021-28544","qid":"198739","title":"Ubuntu Security Notification for Subversion Vulnerabilities (USN-5372-1)"},{"cve":"CVE-2021-28544","qid":"198806","title":"Ubuntu Security Notification for Subversion Vulnerabilities (USN-5450-1)"},{"cve":"CVE-2021-28544","qid":"282940","title":"Fedora Security Update for subversion (FEDORA-2022-2af658b090)"},{"cve":"CVE-2021-28544","qid":"282941","title":"Fedora Security Update for subversion (FEDORA-2022-13cc09ecf2)"},{"cve":"CVE-2021-28544","qid":"354331","title":"Amazon Linux Security Advisory for subversion : ALAS2022-2022-149"},{"cve":"CVE-2021-28544","qid":"355203","title":"Amazon Linux Security Advisory for subversion : ALAS2023-2023-011"},{"cve":"CVE-2021-28544","qid":"376740","title":"Apple macOS Monterey 12.5 Not Installed (HT213345)"},{"cve":"CVE-2021-28544","qid":"501502","title":"Alpine Linux Security Update for subversion"},{"cve":"CVE-2021-28544","qid":"504446","title":"Alpine Linux Security Update for subversion"},{"cve":"CVE-2021-28544","qid":"671880","title":"EulerOS Security Update for subversion (EulerOS-SA-2022-1952)"},{"cve":"CVE-2021-28544","qid":"671913","title":"EulerOS Security Update for subversion (EulerOS-SA-2022-2013)"},{"cve":"CVE-2021-28544","qid":"671925","title":"EulerOS Security Update for subversion (EulerOS-SA-2022-1983)"},{"cve":"CVE-2021-28544","qid":"671970","title":"EulerOS Security Update for subversion (EulerOS-SA-2022-2172)"},{"cve":"CVE-2021-28544","qid":"671981","title":"EulerOS Security Update for subversion (EulerOS-SA-2022-2147)"},{"cve":"CVE-2021-28544","qid":"690842","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for subversion (3a1dc8c8-bb27-11ec-98d1-d43d7eed0ce2)"},{"cve":"CVE-2021-28544","qid":"752024","title":"SUSE Enterprise Linux Security Update for subversion (SUSE-SU-2022:1162-1)"},{"cve":"CVE-2021-28544","qid":"752031","title":"SUSE Enterprise Linux Security Update for subversion (SUSE-SU-2022:1161-1)"},{"cve":"CVE-2021-28544","qid":"752097","title":"SUSE Enterprise Linux Security Update for subversion (SUSE-SU-2022:1483-1)"},{"cve":"CVE-2021-28544","qid":"900828","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9393)"},{"cve":"CVE-2021-28544","qid":"900956","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9367)"},{"cve":"CVE-2021-28544","qid":"901340","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9393-1)"},{"cve":"CVE-2021-28544","qid":"902333","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for subversion (9367-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2021-28544","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","cweId":"CWE-200"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache Subversion","version":{"version_data":[{"version_value":"1.10.0 to 1.14.1","version_affected":"="}]}}]}}]}},"references":{"reference_data":[{"url":"https://subversion.apache.org/security/CVE-2021-28544-advisory.txt","refsource":"MISC","name":"https://subversion.apache.org/security/CVE-2021-28544-advisory.txt"},{"url":"https://www.debian.org/security/2022/dsa-5119","refsource":"MISC","name":"https://www.debian.org/security/2022/dsa-5119"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/"},{"url":"https://support.apple.com/kb/HT213345","refsource":"MISC","name":"https://support.apple.com/kb/HT213345"},{"url":"http://seclists.org/fulldisclosure/2022/Jul/18","refsource":"MISC","name":"http://seclists.org/fulldisclosure/2022/Jul/18"}]},"generator":{"engine":"Vulnogram 0.0.9"},"source":{"discovery":"UNKNOWN"},"credits":[{"lang":"en","value":"Apache Subversion would like to thank Evgeny Kotkov, visualsvn.com."}]},"nvd":{"publishedDate":"2022-04-12 18:15:00","lastModifiedDate":"2023-02-11 17:44:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*","versionStartIncluding":"1.10.0","versionEndIncluding":"1.14.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*","versionStartIncluding":"12.0","versionEndExcluding":"12.5","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28544","Ordinal":"203715","Title":"CVE-2021-28544","CVE":"CVE-2021-28544","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28544","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}