CVE-2022-24070

CVE-2022-24070

Name

CVE-2022-24070

Description

Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://bz.apache.org/bugzilla/show_bug.cgi?id=65861
MISC	https://issues.apache.org/jira/browse/SVN-4880
MISC	https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife
DEBIAN	https://www.debian.org/security/2022/dsa-5119
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/
Third Party Advisory	https://support.apple.com/kb/HT213345
Mailing List	http://seclists.org/fulldisclosure/2022/Jul/18
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/

Type

URI

MISC

https://bz.apache.org/bugzilla/show_bug.cgi?id=65861

MISC

https://issues.apache.org/jira/browse/SVN-4880

MISC

https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife

DEBIAN

https://www.debian.org/security/2022/dsa-5119

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/

Third Party Advisory

https://support.apple.com/kb/HT213345

Mailing List

http://seclists.org/fulldisclosure/2022/Jul/18

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:apache:subversion::::::::`	subversion	>= 1.10.0	< 1.10.8
`cpe:2.3:a:apache:subversion::::::::`	subversion	>= 1.14.0	< 1.14.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*

subversion

>= 1.10.0

< 1.10.8

cpe:2.3:a:apache:subversion:*:*:*:*:*:*:*:*

subversion

>= 1.14.0

< 1.14.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
subversion	3.15-main	1.14.2-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
subversion	3.14-main	1.14.2-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
subversion	3.13-main	1.14.2-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

subversion

3.15-main

1.14.2-r0

Natanael Copa <ncopa@alpinelinux.org>

fixed

subversion

3.14-main