CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2020-17525 – Remote unauthenticated denial-of-service in Subversion mod_authz_svn
https://notcve.org/view.php?id=CVE-2020-17525
Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in mod_dav_svn+mod_authz_svn servers 1.14.1 and mod_dav_svn+mod_authz_svn servers 1.10.7 El módulo mod_authz_svn de Subversion se bloqueará si el servidor está usando reglas de autenticación en el repositorio con la opción AuthzSVNReposRelativeAccessFile y un cliente envía una petición para una URL de repositorio no existente. Esto puede causar interrupciones para los usuarios del servicio. Este problema se solucionó en los servidores mod_dav_svn+mod_authz_svn versión 1.14.1 y los servidores mod_dav_svn+mod_authz_svn versión 1.10.7 A null-pointer-dereference flaw was found in mod_authz_svn of subversion. • https://lists.debian.org/debian-lts-announce/2021/05/msg00000.html https://subversion.apache.org/security/CVE-2020-17525-advisory.txt https://access.redhat.com/security/cve/CVE-2020-17525 https://bugzilla.redhat.com/show_bug.cgi?id=1922303 • CWE-416: Use After Free CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2304 – jenkins-2-plugins/subversion: XML parser is not preventing XML external entity (XXE) attacks
https://notcve.org/view.php?id=CVE-2020-2304
Jenkins Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Jenkins Subversion Plugin versiones 2.13.1 y anteriores, no configura su analizador XML para impedir ataques de tipo XML external entity (XXE) A flaw was found in the subversion Jenkins plugin. The XML parser is not properly configured to prevent XML external entity (XXE) attacks allowing an attacker the ability to control an agent process and have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. The highest threat from this vulnerability is to data confidentiality. • http://www.openwall.com/lists/oss-security/2020/11/04/6 https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2145 https://access.redhat.com/security/cve/CVE-2020-2304 https://bugzilla.redhat.com/show_bug.cgi?id=1895939 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2111 – jenkins-subversion-plugin: XSS in project repository base url
https://notcve.org/view.php?id=CVE-2020-2111
Jenkins Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability. Jenkins Subversion Plugin versiones 2.13.0 y anteriores, no escapa al mensaje de error para la comprobación del formulario del campo Project Repository Base URL, resultando en una vulnerabilidad de tipo cross-site scripting almacenado. • http://www.openwall.com/lists/oss-security/2020/02/12/3 https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1725 https://access.redhat.com/security/cve/CVE-2020-2111 https://bugzilla.redhat.com/show_bug.cgi?id=1819105 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-11782 – subversion: remotely triggerable DoS vulnerability in svnserve 'get-deleted-rev'
https://notcve.org/view.php?id=CVE-2018-11782
In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server. En Apache Subversion versiones hasta 1.9.10, 1.10.4, 1.12.0 incluyéndolas, el proceso del servidor svnserve de Subversion puede cerrarse cuando una petición de solo lectura bien formada produce una respuesta en particular. Esto puede conllevar a interrupciones para usuarios del servidor. • http://subversion.apache.org/security/CVE-2018-11782-advisory.txt https://access.redhat.com/security/cve/CVE-2018-11782 https://bugzilla.redhat.com/show_bug.cgi?id=1733088 • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-0203 – subversion: NULL pointer dereference in svnserve leading to an unauthenticated remote DoS
https://notcve.org/view.php?id=CVE-2019-0203
In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion's svnserve server process may exit when a client sends certain sequences of protocol commands. This can lead to disruption for users of the server. En Apache Subversion versiones hasta 1.9.10, 1.10.4, 1.12.0 incluyéndolas, el proceso del servidor svnserve de Subversion puede cerrarse cuando un cliente envía determinadas secuencias de comandos de protocolo. Esto puede conllevar a interrupciones para los usuarios del servidor. A flaw was found in subversion. • http://subversion.apache.org/security/CVE-2019-0203-advisory.txt https://access.redhat.com/security/cve/CVE-2019-0203 https://bugzilla.redhat.com/show_bug.cgi?id=1733073 • CWE-476: NULL Pointer Dereference CWE-755: Improper Handling of Exceptional Conditions •