SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Subversion Vendors:   Apache Software Foundation, subversion.tigris.org
Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1033215
SecurityTracker URL:  http://securitytracker.com/id/1033215
CVE Reference:   CVE-2015-3184, CVE-2015-3187   (Links to External Site)
Date:  Aug 7 2015
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.7.0 to 1.7.20, 1.8.0 to 1.8.13
Description:   Two vulnerabilities were reported in Apache Subversion. A remote user can obtain potentially sensitive information on the target system.

A remote user can supply a specially crafted path value to exploit a flaw in mod_authz_svn to gain access to potentially sensitive information from an ostensibly hidden repository [CVE-2015-3184].

Repositories configured for anonymous read are affected.

[Editor's note: This vulnerability has been assigned CVE-2015-3185 for the Apache httpd.]

A remote authenticated user can exploit a flaw in svn_repos_trace_node_locations() to view path names that are ostensibly hidden by authz [CVE-2015-3187].

C. Michael Pilato of CollabNet reported these vulnerabilities.

Impact:   A remote user can obtain potentially sensitive information from an ostensibly hidden repository.

A remote authenticated user can view ostensibly hidden path names.

Solution:   The vendor has issued a fix (1.7.21, 1.8.14).

The vendor's advisories are available at:

http://subversion.apache.org/security/CVE-2015-3184-advisory.txt
http://subversion.apache.org/security/CVE-2015-3187-advisory.txt

Vendor URL:  subversion.apache.org/security/CVE-2015-3184-advisory.txt (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 18 2015 (Red Hat Issues Fix) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Aug 18 2015 (CentOS Issues Fix) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
CentOS has issued a fix for CentOS Linux 6.
Aug 18 2015 (Oracle Issues Fix for Oracle Linux) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle Linux 6.
Aug 21 2015 (Ubuntu Issues Fix) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
Ubuntu has issued a fix for Ubuntu 12.04 LTS, 14.04 LTS, and 15.04.
Sep 8 2015 (Red Hat Issues Fix) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Sep 9 2015 (CentOS Issues Fix) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
CentOS has issued a fix for CentOS Linux 7.
Sep 9 2015 (Oracle Issues Fix for Oracle Linux) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle Linux 7.
Mar 21 2016 (Apple Issues Fix for Apple Xcode) Apache Subversion Bugs Let Remote Users Obtain Potentially Sensitive Information
Apple has issued a fix for Apple Xcode.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC