Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2013:152 | First vendor Publication | 2013-04-26 |
Vendor | Mandriva | Last vendor Modification | 2013-04-26 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities has been found and corrected in subversion: Subversion's mod_dav_svn Apache HTTPD server module will use excessive amounts of memory when a large number of properties are set or deleted on a node. This can lead to a DoS. There are no known instances of this problem being observed in the wild (CVE-2013-1845). Subversion's mod_dav_svn Apache HTTPD server module will crash when a LOCK request is made against activity URLs. This can lead to a DoS. There are no known instances of this problem being observed in the wild (CVE-2013-1846). Subversion's mod_dav_svn Apache HTTPD server module will crash in some circumstances when a LOCK request is made against a non-existent URL. This can lead to a DoS. There are no known instances of this problem being observed in the wild (CVE-2013-1847). Subversion's mod_dav_svn Apache HTTPD server module will crash when a PROPFIND request is made against activity URLs. This can lead to a DoS. There are no known instances of this problem being observed in the wild, but the details of how to exploit it have been disclosed on the full disclosure mailing list (CVE-2013-1849). The updated packages have been upgraded to the 1.6.21 version which is not affected by these issues. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:152 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18087 | |||
Oval ID: | oval:org.mitre.oval:def:18087 | ||
Title: | Apache Subversion vulnerability 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 in VisualSVN Server (CVE-2013-1846) | ||
Description: | The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a LOCK on an activity URL. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-1846 | Version: | 6 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 | Product(s): | VisualSVN Server |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18538 | |||
Oval ID: | oval:org.mitre.oval:def:18538 | ||
Title: | Apache Subversion vulnerability 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 in VisualSVN Server (CVE-2013-1847) | ||
Description: | The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-1847 | Version: | 6 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 | Product(s): | VisualSVN Server |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18973 | |||
Oval ID: | oval:org.mitre.oval:def:18973 | ||
Title: | Apache Subversion vulnerability 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 in VisualSVN Server (CVE-2013-1845) | ||
Description: | The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-1845 | Version: | 5 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 | Product(s): | VisualSVN Server |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18980 | |||
Oval ID: | oval:org.mitre.oval:def:18980 | ||
Title: | Apache Subversion vulnerability 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 in VisualSVN Server (CVE-2013-1849) | ||
Description: | The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a PROPFIND request for an activity URL. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-1849 | Version: | 5 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 | Product(s): | VisualSVN Server |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25981 | |||
Oval ID: | oval:org.mitre.oval:def:25981 | ||
Title: | SUSE-SU-2013:0837-1 -- Security update for subversion | ||
Description: | This update fixes several DoS vulnerabilities in subversion's mod_dav_svn Apache HTTPD server module. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0837-1 CVE-2013-1849 CVE-2013-1846 CVE-2013-1845 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Desktop 10 | Product(s): | subversion |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-0837-1.nasl - Type : ACT_GATHER_INFO |
2015-04-27 | Name : The remote Debian host is missing a security update. File : debian_DLA-207.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_subversion_20140401.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-345.nasl - Type : ACT_GATHER_INFO |
2013-09-24 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201309-11.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-180.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0737.nasl - Type : ACT_GATHER_INFO |
2013-06-28 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1893-1.nasl - Type : ACT_GATHER_INFO |
2013-05-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_cvs2svn-8552.nasl - Type : ACT_GATHER_INFO |
2013-05-16 | Name : The remote host has an application that is affected by multiple denial of ser... File : subversion_1_6_21.nasl - Type : ACT_GATHER_INFO |
2013-04-29 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-153.nasl - Type : ACT_GATHER_INFO |
2013-04-13 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130411_subversion_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-04-12 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-095-01.nasl - Type : ACT_GATHER_INFO |
2013-04-12 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0737.nasl - Type : ACT_GATHER_INFO |
2013-04-12 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0737.nasl - Type : ACT_GATHER_INFO |
2013-04-08 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_b6beb1379dc011e2882f20cf30e32f6d.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2013-05-03 21:21:58 |
|
2013-05-02 21:20:21 |
|
2013-04-26 13:18:32 |
|