The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is disabled, does not properly enforce permissions for files that had been publicly readable in the past, which allows remote attackers to obtain sensitive information via a replay REPORT operation.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apache
  • Subversion
Redhat
  • Enterprise Linux

Configuration 1 [-]

OR cpe:2.3:a:apache:subversion:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.5.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.5.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.5.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.5.8:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:apache:subversion:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:subversion:1.6.16:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 5
subversion-0:1.6.11-7.el5_6.4 cpe:/o:redhat:enterprise_linux:5 RHSA-2011:0862 2011-06-08T00:00:00Z
Red Hat Enterprise Linux 6
subversion-0:1.6.11-2.el6_1.4 cpe:/o:redhat:enterprise_linux:6 RHSA-2011:0862 2011-06-08T00:00:00Z
References
Link Providers
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062211.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061913.html cve-icon cve-icon
http://secunia.com/advisories/44633 cve-icon cve-icon
http://secunia.com/advisories/44681 cve-icon cve-icon
http://secunia.com/advisories/44849 cve-icon cve-icon
http://secunia.com/advisories/44888 cve-icon cve-icon
http://secunia.com/advisories/45162 cve-icon cve-icon
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt cve-icon cve-icon
http://support.apple.com/kb/HT5130 cve-icon cve-icon
http://svn.apache.org/repos/asf/subversion/tags/1.6.17/CHANGES cve-icon cve-icon
http://www.debian.org/security/2011/dsa-2251 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2011:106 cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2011-0862.html cve-icon cve-icon
http://www.securityfocus.com/bid/48091 cve-icon cve-icon
http://www.securitytracker.com/id?1025619 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1144-1 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=709114 cve-icon cve-icon
https://exchange.xforce.ibmcloud.com/vulnerabilities/67804 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2011-1921 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18999 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2011-1921 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-06T22:45:59.995Z

Reserved: 2011-05-09T00:00:00

Link: CVE-2011-1921

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2011-06-06T19:55:02.020

Modified: 2024-11-21T01:27:18.800

Link: CVE-2011-1921

cve-icon Redhat

Severity : Low

Publid Date: 2011-06-01T00:00:00Z

Links: CVE-2011-1921 - Bugzilla