Executive Summary
| Summary | |
|---|---|
| Title | New websvn packages fix information leak |
| Informations | |||
|---|---|---|---|
| Name | DSA-1725 | First vendor Publication | 2009-02-15 |
| Vendor | Debian | Last vendor Modification | 2009-02-15 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:S/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 3.5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Bas van Schaik discovered that WebSVN, a tool to view Subversion repositories over the web, did not properly restrict access to private repositories, allowing a remote attacker to read significant parts of their content. The old stable distribution (etch) is not affected by this problem. For the stable distribution (lenny), this problem has been fixed in version 2.0-4+lenny1. For the unstable distribution (sid), this problem has also been fixed in version 2.0-4+lenny1. We recommend that you upgrade your websvn package. |
Original Source
| Url : http://www.debian.org/security/2009/dsa-1725 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13516 | |||
| Oval ID: | oval:org.mitre.oval:def:13516 | ||
| Title: | DSA-1725-1 websvn -- programming error | ||
| Description: | Bas van Schaik discovered that WebSVN, a tool to view Subversion repositories over the web, did not properly restrict access to private repositories, allowing a remote attacker to read significant parts of their content. The old stable distribution is not affected by this problem. For the stable distribution, this problem has been fixed in version 2.0-4+lenny1. For the unstable distribution, this problem has also been fixed in version 2.0-4+lenny1. We recommend that you upgrade your websvn package. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1725-1 CVE-2009-0240 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | websvn |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-03-20 | Name : Debian Security Advisory DSA 1725-1 (websvn) File : nvt/deb_1725_1.nasl |
| 2009-03-13 | Name : Gentoo Security Advisory GLSA 200903-20 (websvn) File : nvt/glsa_200903_20.nasl |
| 2009-02-13 | Name : FreeBSD Ports: websvn File : nvt/freebsd_websvn.nasl |
| 2009-01-23 | Name : WebSVN Script Multiple Vulnerabilities File : nvt/secpod_websvn_mult_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 51611 | WebSVN listing.php repname Parameter Remote File Access |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2009-03-10 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200903-20.nasl - Type : ACT_GATHER_INFO |
| 2009-02-17 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1725.nasl - Type : ACT_GATHER_INFO |
| 2009-02-09 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_71597e3ef6b811dd94d90030843d3802.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:28:12 |
|
