CVE-2024-46901: Apache Subversion: mod_dav_svn denial-of-service via control characters in paths

3.1 CVSS

Description

Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository.

All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue.

Repositories served via other access methods are not affected.

Classification

CVE ID: CVE-2024-46901

CVSS Base Severity: LOW

CVSS Base Score: 3.1

Affected Products

Vendor: Apache Software Foundation

Product: Apache Subversion

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://subversion.apache.org/security/CVE-2024-46901-advisory.txt

Timeline

2024-12-10 00:31:27 UTC
CVE

Apache Subversion: mod_dav_svn denial-of-service via control characters in paths
2025-03-15 11:00:31 UTC
Tenable Plugins

SUSE SLES12 Security Update : subversion (SUSE-SU-2025:0871-1)
2025-04-14 06:00:39 UTC
Tenable Plugins

Debian dla-4127 : libapache2-mod-svn - security update
2025-04-14 06:00:50 UTC
Tenable Plugins

Azure Linux 3.0 Security Update: subversion (CVE-2024-46901)