Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2013:288 | First vendor Publication | 2013-12-17 |
Vendor | Mandriva | Last vendor Modification | 2013-12-17 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:S/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 3.5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Updated subversion package fixes security vulnerabilities: mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat (CVE-2013-4505). When SVNAutoversioning is enabled via SVNAutoversioning on, commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort (CVE-2013-4558). |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:288 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:24277 | |||
Oval ID: | oval:org.mitre.oval:def:24277 | ||
Title: | Apache Subversion vulnerability 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4 in VisualSVN Server allows remote attackers to cause a denial of service | ||
Description: | The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-4558 | Version: | 5 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 | Product(s): | VisualSVN Server |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24294 | |||
Oval ID: | oval:org.mitre.oval:def:24294 | ||
Title: | Apache Subversion vulnerability 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 in VisualSVN Server allows remote attackers to bypass intended access restrictions and possibly cause a denial of service | ||
Description: | The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-4505 | Version: | 5 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 | Product(s): | VisualSVN Server |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_subversion_20140401.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-942.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-962.nasl - Type : ACT_GATHER_INFO |
2014-02-28 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-058-01.nasl - Type : ACT_GATHER_INFO |
2014-01-02 | Name : The remote Fedora host is missing a security update. File : fedora_2013-22575.nasl - Type : ACT_GATHER_INFO |
2013-12-23 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-269.nasl - Type : ACT_GATHER_INFO |
2013-12-20 | Name : The remote host has an application that is affected by multiple denial of ser... File : subversion_1_8_5.nasl - Type : ACT_GATHER_INFO |
2013-12-18 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-288.nasl - Type : ACT_GATHER_INFO |
2013-12-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-22208.nasl - Type : ACT_GATHER_INFO |
2013-12-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-22313.nasl - Type : ACT_GATHER_INFO |
2013-11-26 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e3244a7b560311e3878d20cf30e32f6d.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:44:11 |
|
2013-12-17 21:19:16 |
|