Credentials Management Affecting subversion package, versions <1.8.10-1
Snyk CVSS
Attack Complexity
High
Threat Intelligence
EPSS
0.19% (57th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN9-SUBVERSION-344422
- published 19 Aug 2014
- disclosed 19 Aug 2014
Introduced: 19 Aug 2014
CVE-2014-3528 Open this link in a new tabHow to fix?
Upgrade Debian:9 subversion to version 1.8.10-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream subversion package and not the subversion package as distributed by Debian.
See How to fix? for Debian:9 relevant fixed versions and status.
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.
References
- https://security-tracker.debian.org/tracker/CVE-2014-3528
- https://support.apple.com/HT204427
- http://lists.apple.com/archives/security-announce/2015/Mar/msg00003.html
- http://subversion.apache.org/security/CVE-2014-3528-advisory.txt
- https://security.gentoo.org/glsa/201610-05
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00038.html
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://rhn.redhat.com/errata/RHSA-2015-0165.html
- http://rhn.redhat.com/errata/RHSA-2015-0166.html
- http://secunia.com/advisories/59432
- http://secunia.com/advisories/59584
- http://secunia.com/advisories/60722
- http://www.securityfocus.com/bid/68995
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-3528
- http://www.ubuntu.com/usn/USN-2316-1