CVE-2021-28544 in macOS
Summary
by MITRE • 04/12/2022
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/21/2025
The vulnerability identified as CVE-2021-28544 represents a significant information disclosure flaw in Apache Subversion servers that directly impacts the integrity of access control mechanisms. This issue affects the path-based authorization system that administrators rely upon to protect sensitive repository content, creating a scenario where unauthorized users can gain insights into protected paths through the copyfrom functionality. The regression in the authorization logic means that previously functioning security controls have been compromised, allowing information leakage that undermines the fundamental security assumptions of repository access management. This vulnerability specifically targets the authorization enforcement mechanism within Subversion's implementation, where the system fails to properly restrict access to copyfrom path information even when the original location is protected by authz rules.
The technical implementation flaw manifests in how Subversion handles copy operations within its authorization framework, particularly when processing copyfrom paths during repository operations. When a node is copied from a location that has been restricted by authorization rules, the system should prevent unauthorized users from accessing the copyfrom path information. However, this vulnerability allows users with read access to the copied node to discover the original source path, effectively bypassing the intended authorization controls. The flaw exists in both the httpd and svnserve server implementations, indicating a systemic issue within the Subversion codebase rather than a server-specific problem. This affects the core authorization decision-making process during copy operations, where the system should enforce access controls not just on the target node but also on the metadata associated with the copy operation, particularly the copyfrom path information.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to map the structure and content of protected repository areas through indirect means. An attacker can identify which locations have been copied from protected areas, effectively creating a reconnaissance mechanism that reveals repository topology and access patterns. This information can be particularly valuable in planning further attacks, as it provides insights into which repository paths contain sensitive information. The vulnerability also undermines the principle of least privilege, as users who should only have access to specific repository areas can discover the existence and location of protected content through copy operations. This creates a situation where the authorization system becomes ineffective at hiding information, potentially exposing sensitive repository structures and access patterns that administrators intended to keep confidential.
The security implications align with CWE-200, which addresses information exposure, and relates to ATT&CK technique T1083, which covers directory and file discovery. Organizations using Subversion repositories with path-based authorization are at risk of unauthorized information gathering, as attackers can systematically identify protected locations through copy operations. The vulnerability essentially creates a side-channel attack vector that bypasses normal authorization checks by exploiting the copyfrom functionality. This represents a regression in security controls that should have been properly enforced, allowing attackers to discover protected information through legitimate repository operations. The fact that both httpd and svnserve are affected indicates that the vulnerability exists at the core Subversion authorization implementation level, making it a widespread concern across different deployment scenarios.
Mitigation strategies should focus on immediate patching of affected Subversion versions to address the authorization regression. Organizations should also implement additional monitoring to detect unusual copy operations that might indicate attempts to exploit this vulnerability. Configuration reviews should ensure that authorization rules are properly enforced and that unnecessary copy operations are restricted. Network segmentation and access controls should be strengthened to limit exposure of vulnerable Subversion servers. Regular security assessments should include testing of authorization controls to verify that copyfrom path information remains properly restricted. The vulnerability highlights the importance of thorough testing of authorization logic during security updates and regression testing of access control mechanisms to prevent similar issues from emerging in the future.