Apache Subversion up to 1.7.9 FSFS Format Repository ASCII 0x0a denial of service
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.2 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in Apache Subversion and classified as critical. This vulnerability affects unknown code of the component FSFS Format Repository. This manipulation of the argument ASCII 0x0a causes denial of service. This vulnerability is registered as CVE-2013-1968. No exploit is available. The affected component should be upgraded.
Details
A vulnerability was found in Apache Subversion (Versioning Software). It has been declared as critical. Affected by this vulnerability is an unknown part of the component FSFS Format Repository. The manipulation of the argument ASCII 0x0a with an unknown input leads to a denial of service vulnerability. The CWE definition for the vulnerability is CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. As an impact it is known to affect integrity, and availability. The summary by CVE is:
Subversion before 1.6.23 and 1.7.x before 1.7.10 allows remote authenticated users to cause a denial of service (FSFS repository corruption) via a newline character in a file name.
The weakness was published 05/31/2013 by Stefan Sperling with elego Software Solutions GmbH as confirmed advisory (Website). It is possible to read the advisory at subversion.apache.org. This vulnerability is known as CVE-2013-1968 since 02/19/2013. The attack can be launched remotely. A single authentication is necessary for exploitation. Technical details of the vulnerability are known, but there is no available exploit.
The vulnerability scanner Nessus provides a plugin with the ID 68930 (Apache Subversion < 1.6.23 / 1.7.x < 1.7.10 Multiple Remote DoS), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows. The commercial vulnerability scanner Qualys is able to test this issue with plugin 121469 (Apache Subversion Multiple Security Vulnerabilities).
Upgrading to version 1.6.23, 1.7.11 or 1.8.0 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (84717), Tenable (68930), SecurityFocus (BID 60264†), OSVDB (93796†) and Secunia (SA53692†). Similar entries are available at VDB-8932, VDB-8933 and VDB-8934. Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Vendor
Name
Version
- 1.6.0
- 1.6.1
- 1.6.2
- 1.6.3
- 1.6.4
- 1.6.5
- 1.6.6
- 1.6.7
- 1.6.8
- 1.6.9
- 1.6.10
- 1.6.11
- 1.6.12
- 1.6.13
- 1.6.14
- 1.6.15
- 1.6.16
- 1.6.17
- 1.6.18
- 1.6.19
- 1.6.20
- 1.6.21
- 1.7.0
- 1.7.1
- 1.7.2
- 1.7.3
- 1.7.4
- 1.7.5
- 1.7.6
- 1.7.7
- 1.7.8
- 1.7.9
License
Website
- Vendor: https://www.apache.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.4VulDB Meta Temp Score: 5.2
VulDB Base Score: 5.4
VulDB Temp Score: 5.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Denial of serviceCWE: CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 68930
Nessus Name: Apache Subversion < 1.6.23 / 1.7.x < 1.7.10 Multiple Remote DoS
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 892703
OpenVAS Name: Debian Security Advisory DSA 2703-1 (subversion - several vulnerabilities
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Subversion 1.6.23/1.7.11/1.8.0
Timeline
02/19/2013 🔍05/31/2013 🔍
05/31/2013 🔍
06/02/2013 🔍
06/03/2013 🔍
06/04/2013 🔍
07/02/2013 🔍
07/17/2013 🔍
07/31/2013 🔍
05/14/2021 🔍
Sources
Vendor: apache.orgAdvisory: subversion.apache.org
Researcher: Stefan Sperling
Organization: elego Software Solutions GmbH
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2013-1968 (🔍)
GCVE (CVE): GCVE-0-2013-1968
GCVE (VulDB): GCVE-100-8935
OVAL: 🔍
X-Force: 84717
SecurityFocus: 60264 - Apache Subversion CVE-2013-2112 Remote Denial of Service Vulnerability
Secunia: 53692 - Apache Subversion svnserve and FSFS Repositories Denial of Service Vulnerabilities, Moderately Critical
OSVDB: 93796
Vulnerability Center: 40281 - Apache Software Foundation Subversion Denial of Service due to Improper Handling of New Line Characters in the FSFS Repository, Medium
See also: 🔍
Entry
Created: 06/04/2013 11:39Updated: 05/14/2021 09:16
Changes: 06/04/2013 11:39 (82), 05/04/2017 10:39 (2), 05/14/2021 09:16 (3)
Complete: 🔍
Committer:
Cache ID: 216:369:103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.