Vulnerabilities > CVE-2016-2167 - Improper Access Control vulnerability in Apache Subversion
Attack vector
NETWORK Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
NONE Summary
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2016-20CC04AC50.NASL description - Update to 1.9.4 (#1331222) CVE-2016-2167 CVE-2016-2168 - Move tools in docs to tools subpackage (rhbz 1171757 1199761) - Disable make check to work around FTBFS Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-05-12 plugin id 91059 published 2016-05-12 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91059 title Fedora 24 : subversion-1.9.4-1.fc24 (2016-20cc04ac50) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-20cc04ac50. # include("compat.inc"); if (description) { script_id(91059); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-2167", "CVE-2016-2168"); script_xref(name:"FEDORA", value:"2016-20cc04ac50"); script_name(english:"Fedora 24 : subversion-1.9.4-1.fc24 (2016-20cc04ac50)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Update to 1.9.4 (#1331222) CVE-2016-2167 CVE-2016-2168 - Move tools in docs to tools subpackage (rhbz 1171757 1199761) - Disable make check to work around FTBFS Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1171757" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1199761" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1331222" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1331687" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-May/184545.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0d62a72a" ); script_set_attribute( attribute:"solution", value:"Update the affected subversion package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:subversion"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"subversion-1.9.4-1.fc24")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "subversion"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-571.NASL description This update for subversion fixes the following issues : - CVE-2016-2167: mod_authz_svn: DoS in MOVE/COPY authorization check (bsc#976849) - CVE-2016-2168: svnserve/sasl may authenticate users using the wrong realm (bsc#976850) The following non-security bugs were fixed : - mod_authz_svn: fix authz with mod_auth_kerb/mod_auth_ntlm (boo#977424) last seen 2020-06-05 modified 2016-05-09 plugin id 90983 published 2016-05-09 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90983 title openSUSE Security Update : subversion (openSUSE-2016-571) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-571. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(90983); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-2167", "CVE-2016-2168"); script_name(english:"openSUSE Security Update : subversion (openSUSE-2016-571)"); script_summary(english:"Check for the openSUSE-2016-571 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for subversion fixes the following issues : - CVE-2016-2167: mod_authz_svn: DoS in MOVE/COPY authorization check (bsc#976849) - CVE-2016-2168: svnserve/sasl may authenticate users using the wrong realm (bsc#976850) The following non-security bugs were fixed : - mod_authz_svn: fix authz with mod_auth_kerb/mod_auth_ntlm (boo#977424)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=976849" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=976850" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=977424" ); script_set_attribute( attribute:"solution", value:"Update the affected subversion packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsvn_auth_gnome_keyring-1-0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libsvn_auth_kwallet-1-0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-bash-completion"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-perl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-python-ctypes"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-python-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-ruby-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-server-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:subversion-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:13.2"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE13\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "13.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE13.2", reference:"libsvn_auth_gnome_keyring-1-0-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libsvn_auth_gnome_keyring-1-0-debuginfo-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libsvn_auth_kwallet-1-0-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"libsvn_auth_kwallet-1-0-debuginfo-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-bash-completion-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-debuginfo-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-debugsource-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-devel-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-perl-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-perl-debuginfo-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-python-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-python-ctypes-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-python-debuginfo-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-ruby-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-ruby-debuginfo-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-server-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-server-debuginfo-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-tools-1.8.16-2.26.1") ) flag++; if ( rpm_check(release:"SUSE13.2", reference:"subversion-tools-debuginfo-1.8.16-2.26.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libsvn_auth_gnome_keyring-1-0 / etc"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2504.NASL description According to the versions of the subversion packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Apache Subversion last seen 2020-05-08 modified 2019-12-04 plugin id 131657 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131657 title EulerOS 2.0 SP2 : subversion (EulerOS-SA-2019-2504) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-709.NASL description The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. (CVE-2016-2167) The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. (CVE-2016-2168) last seen 2020-06-01 modified 2020-06-02 plugin id 91468 published 2016-06-06 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91468 title Amazon Linux AMI : subversion (ALAS-2016-709) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3388-1.NASL description Joern Schneeweisz discovered that Subversion did not properly handle host names in last seen 2020-06-01 modified 2020-06-02 plugin id 102424 published 2017-08-11 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102424 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : subversion vulnerabilities (USN-3388-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201610-05.NASL description The remote host is affected by the vulnerability described in GLSA-201610-05 (Subversion, Serf: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in Subversion and Serf. Please review the CVE identifiers referenced below for details Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, conduct a man-in-the-middle attack, obtain sensitive information, or cause a Denial of Service Condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 93992 published 2016-10-12 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93992 title GLSA-201610-05 : Subversion, Serf: Multiple Vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2669.NASL description According to the versions of the subversion packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Apache Subversion last seen 2020-05-08 modified 2019-12-18 plugin id 132204 published 2019-12-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132204 title EulerOS 2.0 SP3 : subversion (EulerOS-SA-2019-2669) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3561.NASL description Several vulnerabilities were discovered in Subversion, a version control system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2016-2167 Daniel Shahaf and James McCoy discovered that an implementation error in the authentication against the Cyrus SASL library would permit a remote user to specify a realm string which is a prefix of the expected realm string and potentially allowing a user to authenticate using the wrong realm. - CVE-2016-2168 Ivan Zhakov of VisualSVN discovered a remotely triggerable denial of service vulnerability in the mod_authz_svn module during COPY or MOVE authorization check. An authenticated remote attacker could take advantage of this flaw to cause a denial of service (Subversion server crash) via COPY or MOVE requests with specially crafted header. last seen 2020-06-01 modified 2020-06-02 plugin id 90808 published 2016-05-02 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90808 title Debian DSA-3561-1 : subversion - security update NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2016-0013.NASL description An update of [ subversion, libtasn1, unzip, dhcp ] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111847 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111847 title Photon OS 1.0: Dhcp / Libtasn1 / Subversion / Unzip PHSA-2016-0013 (deprecated) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2016-0013_SUBVERSION.NASL description An update of the subversion package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121656 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121656 title Photon OS 1.0: Subversion PHSA-2016-0013 NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-570.NASL description This update for subversion fixes the following issues : - CVE-2016-2167: mod_authz_svn: DoS in MOVE/COPY authorization check (bsc#976849) - CVE-2016-2168: svnserve/sasl may authenticate users using the wrong realm (bsc#976850) The following non-security bugs were fixed : - bsc#969159: subversion dependencies did not enforce matching password store - bsc#911620: svnserve could not be started via YaST Service manager This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-05-09 plugin id 90982 published 2016-05-09 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90982 title openSUSE Security Update : subversion (openSUSE-2016-570) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-121-01.NASL description New subversion packages are available for Slackware 14.0, 14.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 90802 published 2016-05-02 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90802 title Slackware 14.0 / 14.1 / current : subversion (SSA:2016-121-01) NASL family Fedora Local Security Checks NASL id FEDORA_2016-E024B3E02B.NASL description - Update to 1.9.4 (#1331222) CVE-2016-2167 CVE-2016-2168 - Move tools in docs to tools subpackage (rhbz 1171757 1199761) - Disable make check to work around FTBFS Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-14 plugin id 92183 published 2016-07-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92183 title Fedora 23 : subversion (2016-e024b3e02b) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2550.NASL description According to the versions of the subversion packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Integer overflow in util.c in mod_dav_svn in Apache Subversion 1.7.x, 1.8.x before 1.8.15, and 1.9.x before 1.9.3 allows remote authenticated users to cause a denial of service (subversion server crash or memory consumption) and possibly execute arbitrary code via a skel-encoded request body, which triggers an out-of-bounds read and heap-based buffer overflow.(CVE-2015-5343) - The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.(CVE-2016-2167) - The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check.(CVE-2016-2168) - Apache Subversion last seen 2020-05-08 modified 2019-12-09 plugin id 131824 published 2019-12-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131824 title EulerOS 2.0 SP5 : subversion (EulerOS-SA-2019-2550) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-710.NASL description The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. (CVE-2016-2167) The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. (CVE-2016-2168) last seen 2020-06-01 modified 2020-06-02 plugin id 91469 published 2016-06-06 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91469 title Amazon Linux AMI : mod_dav_svn (ALAS-2016-710) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_C8174B630D3A11E6B06ED43D7EED0CE2.NASL description Subversion project reports : svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a prefix of the expected realm string. Subversion last seen 2020-06-01 modified 2020-06-02 plugin id 90780 published 2016-04-29 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90780 title FreeBSD : subversion -- multiple vulnerabilities (c8174b63-0d3a-11e6-b06e-d43d7eed0ce2) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-448.NASL description CVE-2016-2167 svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a prefix of the expected realm string. CVE-2016-2168 Subversion last seen 2020-03-17 modified 2016-05-02 plugin id 90805 published 2016-05-02 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90805 title Debian DLA-448-1 : subversion security update
References
- http://www.debian.org/security/2016/dsa-3561
- http://www.securitytracker.com/id/1035706
- http://subversion.apache.org/security/CVE-2016-2167-advisory.txt
- http://www.securityfocus.com/bid/89417
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.417496
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00044.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00043.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184545.html
- https://security.gentoo.org/glsa/201610-05
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://mail-archives.apache.org/mod_mbox/subversion-announce/201604.mbox/%3CCAP_GPNgJet+7_MAhomFVOXPgLtewcUw9w=k9zdPCkq5tvPxVMA%40mail.gmail.com%3E
- http://mail-archives.apache.org/mod_mbox/subversion-announce/201604.mbox/%3CCAP_GPNgfn1iKueW51EpmXzXi_URNfGNofZSgOyW1_jnSeNm5DQ%40mail.gmail.com%3E