CVE-2021-28544

MEDIUM

Apache Subversion < 1.14.1 - Information Disclosure

Title source: rule

Description

Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

References (6)

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/Jul/18

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/

[Exploit, Patch, Vendor Advisory] https://subversion.apache.org/security/CVE-2021-28544-advisory.txt

[Third Party Advisory] https://support.apple.com/kb/HT213345

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5119

Scores

CVSS v3 4.3

EPSS 0.0041

EPSS Percentile 60.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (6)

apache/subversion < 1.14.1

debian/debian_linux

debian/debian_linux

fedoraproject/fedora

fedoraproject/fedora

apple/macos < 12.5

Timeline

Published Apr 12, 2022

Tracked Since Feb 18, 2026