Apache Subversion up to 1.7.18/1.8.10 mod_dav_svn null pointer dereference
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
4.6 | $0-$5k | 0.00 |
A vulnerability, which was classified as problematic, has been found in Apache Subversion up to 1.7.18/1.8.10 (Versioning Software). This issue affects an unknown functionality of the component mod_dav_svn. The manipulation with an unknown input leads to a null pointer dereference vulnerability. Using CWE to declare the problem leads to CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. Impacted is availability.
The weakness was disclosed 12/18/2014 by Evgeny Kotkov with VisualSVN as CVE-2014-8108-advisory.txt as confirmed advisory (Website). It is possible to read the advisory at subversion.apache.org. The identification of this vulnerability is CVE-2014-8108 since 10/10/2014. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available.
The vulnerability scanner Nessus provides a plugin with the ID 80864 (Apache Subversion 1.7.x < 1.7.19 / 1.8.x < 1.8.11 Multiple Remote DoS), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Web Servers. The commercial vulnerability scanner Qualys is able to test this issue with plugin 350799 (Amazon Linux Security Advisory for subversion: AL2012-2015-032).
Upgrading to version 1.7.19 or 1.8.11 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at subversion.apache.org. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (99812) and Tenable (80864). The entries 12199, 68446 and 70661 are pretty similar.
Product
Type
Vendor
Name
Version
- 1.7.0
- 1.7.1
- 1.7.2
- 1.7.3
- 1.7.4
- 1.7.5
- 1.7.6
- 1.7.7
- 1.7.8
- 1.7.9
- 1.7.10
- 1.7.11
- 1.7.12
- 1.7.13
- 1.7.14
- 1.7.15
- 1.7.16
- 1.7.17
- 1.7.18
- 1.8.0
- 1.8.1
- 1.8.2
- 1.8.3
- 1.8.4
- 1.8.5
- 1.8.6
- 1.8.7
- 1.8.8
- 1.8.9
- 1.8.10
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 4.6
VulDB Base Score: 5.3
VulDB Temp Score: 4.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Null pointer dereferenceCWE: CWE-476 / CWE-404
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 80864
Nessus Name: Apache Subversion 1.7.x < 1.7.19 / 1.8.x < 1.8.11 Multiple Remote DoS
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 14611
OpenVAS Name: Amazon Linux Local Check: alas-2015-555
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Subversion 1.7.19/1.8.11
Patch: subversion.apache.org
Timeline
10/10/2014 🔍12/18/2014 🔍
12/18/2014 🔍
12/18/2014 🔍
12/18/2014 🔍
12/18/2014 🔍
12/19/2014 🔍
03/09/2015 🔍
03/10/2015 🔍
03/01/2022 🔍
Sources
Vendor: apache.orgAdvisory: CVE-2014-8108-advisory.txt
Researcher: Evgeny Kotkov
Organization: VisualSVN
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-8108 (🔍)
X-Force: 99812 - Apache Subversion mod_dav_svn denial of service, Medium Risk
SecurityTracker: 1031403 - Subversion mod_dav_svn URI Processing Flaw Lets Remote Users Deny Service
Vulnerability Center: 48921 - Apache Subversion <1.7.19, 1.8.0 - 1.8.10 Remote DoS Vulnerability via a URI Request, Medium
SecurityFocus: 71725 - Apache Subversion CVE-2014-8108 Remote Denial of Service Vulnerability
Secunia: 61131
See also: 🔍
Entry
Created: 12/19/2014 09:15Updated: 03/01/2022 13:16
Changes: 12/19/2014 09:15 (78), 06/22/2017 10:32 (8), 03/01/2022 13:11 (3), 03/01/2022 13:16 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.