CVE-2013-4558
Slackware Security Advisory - subversion Updates
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /.
La función get_parent_resource en respos.c en el módulo de servidor mod_dav_svn Apache HTTPD en Subversion 1.7.11 a 1.7.13 y 1.8.1 a 1.8.4, cuando se construyen con aserciones activas y SVNAutoversioning está habilitado, permite a atacantes remotos causar denegación de servicio (fallo de aserción y aborto de proceso Apache) a través de una URL no canónica en una petición, como se muestra utilizando una '/' final.
mod_dontdothat allows you to block update REPORT requests against certain paths in the repository. It expects the paths in the REPORT request to be absolute URLs. Serf based clients send relative URLs instead of absolute URLs in many cases. As a result these clients are not blocked as configured by mod_dontdothat. When SVNAutoversioning is enabled via SVNAutoversioning on, commits can be made by single HTTP requests such as MKCOL and PUT. If Subversion is built with assertions enabled any such requests that have non-canonical URLs, such as URLs with a trailing /, may trigger an assert. An assert will cause the Apache process to abort.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-06-12 CVE Reserved
- 2013-12-07 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (7)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://subversion.apache.org/security/CVE-2013-4558-advisory.txt | 2024-03-28 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2013-12/msg00029.html | 2024-03-28 | |
| http://lists.opensuse.org/opensuse-updates/2013-12/msg00048.html | 2024-03-28 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Mod Dav Svn Search vendor "Apache" for product "Mod Dav Svn" | - | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.7.11 Search vendor "Apache" for product "Subversion" and version "1.7.11" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.7.12 Search vendor "Apache" for product "Subversion" and version "1.7.12" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.7.13 Search vendor "Apache" for product "Subversion" and version "1.7.13" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.8.1 Search vendor "Apache" for product "Subversion" and version "1.8.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.8.2 Search vendor "Apache" for product "Subversion" and version "1.8.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.8.3 Search vendor "Apache" for product "Subversion" and version "1.8.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Subversion Search vendor "Apache" for product "Subversion" | 1.8.4 Search vendor "Apache" for product "Subversion" and version "1.8.4" | - |
Affected
| ||||||